https://ankitmaurya.pages.dev/ Recent content on Ankit Maurya Hugo en Fri, 15 May 2026 00:00:00 +0000 https://ankitmaurya.pages.dev/blog/initial-vps-setup/ Fri, 15 May 2026 00:00:00 +0000 https://ankitmaurya.pages.dev/blog/initial-vps-setup/ <h4 id="-the-situation">⚠️ The Situation</h4> <ul> <li>Fresh VPS = <strong>immediate bot scans + SSH brute force</strong></li> <li>Default configs = weak</li> <li>If you delay → you <em>will</em> get hit</li> </ul> <hr> <h3 id="-step-1-create-non-root-user-with-sudo">✅ Step 1: Create Non-Root User (With Sudo)</h3> <h4 id="command">Command</h4> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">adduser youruser </span></span><span class="line"><span class="cl">usermod -aG sudo youruser </span></span></code></pre></div><p><strong>What it does</strong></p> <p>Creates a normal user and gives admin privileges.</p> <p>⚠️ Caution</p> <ul> <li>Never continue using <code>root</code> for daily work</li> </ul> <hr> <h3 id="-step-2-setup-ssh-key-authentication">✅ Step 2: Setup SSH Key Authentication</h3> <h4 id="-generate-key-local-machine">🔹 Generate Key (Local Machine)</h4> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ssh-keygen-t ed25519-C<span class="s2">&#34;your-email@example.com&#34;</span> </span></span></code></pre></div><hr> <h4 id="-copy-key-to-server">🔹 Copy Key to Server</h4> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="nb">ssh-copy</span><span class="n">-id</span> <span class="n">youruser</span><span class="nv">@your</span><span class="n">-server-ip</span> </span></span></code></pre></div><hr> <h4 id="-test-login">🔹 Test Login</h4> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ssh youruser@your-server-ip </span></span></code></pre></div><p>⚠️ Caution</p> https://ankitmaurya.pages.dev/blog/securing-cloud-infrastructure/ Thu, 20 Jun 2024 00:00:00 +0000 https://ankitmaurya.pages.dev/blog/securing-cloud-infrastructure/ <p>Cloud security is often viewed as complex, but fundamental practices can dramatically improve your security posture. Here&rsquo;s what I&rsquo;ve learned from building secure cloud architectures.</p> <h2 id="identity--access-management">Identity &amp; Access Management</h2> <p>The foundation of cloud security starts with IAM. Too many organizations grant broad permissions &ldquo;for convenience&rdquo; which creates significant risk.</p> <h3 id="least-privilege-principle">Least Privilege Principle</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;Version&#34;</span><span class="p">:</span> <span class="s2">&#34;2012-10-17&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;Statement&#34;</span><span class="p">:</span> <span class="p">[{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;Effect&#34;</span><span class="p">:</span> <span class="s2">&#34;Allow&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;Action&#34;</span><span class="p">:</span> <span class="p">[</span><span class="s2">&#34;s3:GetObject&#34;</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;Resource&#34;</span><span class="p">:</span> <span class="s2">&#34;arn:aws:s3:::my-bucket/*&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;Condition&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;IpAddress&#34;</span><span class="p">:</span> <span class="p">{</span><span class="nt">&#34;aws:SourceIp&#34;</span><span class="p">:</span> <span class="s2">&#34;10.0.0.0/8&#34;</span><span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}]</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>This policy only allows GetObject from the internal network range, not from anywhere else.</p> https://ankitmaurya.pages.dev/projects/mcp-monitoring/ Sat, 15 Jun 2024 00:00:00 +0000 https://ankitmaurya.pages.dev/projects/mcp-monitoring/ <p>This project is a proxy-based monitoring system for inspecting LLM context during conversations. It provides visibility into what&rsquo;s being sent to and from AI models.</p> <h2 id="features">Features</h2> <ul> <li><strong>Context Inspection</strong>: Monitor all prompts and responses going to LLM APIs</li> <li><strong>Security Logging</strong>: Capture and store interaction data for security analysis</li> <li><strong>Real-time Monitoring</strong>: Live view of active conversations</li> <li><strong>Data Export</strong>: Export conversation logs for analysis</li> </ul> <h2 id="architecture">Architecture</h2> <p>The tool sits as a proxy between your application and the LLM API, intercepting all traffic for inspection.</p> https://ankitmaurya.pages.dev/projects/cloudflare-tunnel/ Mon, 20 May 2024 00:00:00 +0000 https://ankitmaurya.pages.dev/projects/cloudflare-tunnel/ <p>A comprehensive guide to exposing self-hosted services securely using Cloudflare Tunnel and Nginx reverse proxy.</p> <h2 id="why-this-setup">Why This Setup?</h2> <ul> <li>No need to open ports on your firewall</li> <li>Automatic SSL/TLS encryption</li> <li>DDoS protection from Cloudflare</li> <li>Access control via Cloudflare Access</li> </ul> <h2 id="architecture-overview">Architecture Overview</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">User --&gt; Cloudflare --&gt; Tunnel --&gt; Nginx --&gt; Service </span></span></code></pre></div><h2 id="configuration-steps">Configuration Steps</h2> <ol> <li>Create a Cloudflare account and add your domain</li> <li>Install cloudflared on your server</li> <li>Configure the tunnel with your services</li> <li>Set up Nginx as a reverse proxy</li> <li>Configure SSL certificates</li> </ol> <h2 id="nginx-configuration">Nginx Configuration</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">server</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">listen</span> <span class="mi">443</span> <span class="s">ssl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">server_name</span> <span class="s">service.example.com</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">ssl_certificate</span> <span class="s">/etc/ssl/certs/cert.pem</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">ssl_certificate_key</span> <span class="s">/etc/ssl/private/key.pem</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">location</span> <span class="s">/</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_pass</span> <span class="s">http://localhost:8080</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_set_header</span> <span class="s">Host</span> <span class="nv">$host</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_set_header</span> <span class="s">X-Real-IP</span> <span class="nv">$remote_addr</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><h2 id="security-considerations">Security Considerations</h2> <ul> <li>Enable authenticated origin pulls</li> <li>Use Cloudflare Access for sensitive services</li> <li>Implement rate limiting</li> <li>Log all access attempts</li> </ul> https://ankitmaurya.pages.dev/blog/cspm-pipeline/ Wed, 15 May 2024 00:00:00 +0000 https://ankitmaurya.pages.dev/blog/cspm-pipeline/ <p>Cloud Security Posture Management (CSPM) pipelines help organizations continuously monitor and improve their security posture. Here&rsquo;s what I learned building CSPM solutions.</p> <h2 id="why-cspm-matters">Why CSPM Matters</h2> <p>Manual security reviews don&rsquo;t scale. As cloud infrastructure grows, you need automated checks that run continuously.</p> <h2 id="core-components">Core Components</h2> <h3 id="1-data-collection">1. Data Collection</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">boto3</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">collect_iam_policies</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">iam</span> <span class="o">=</span> <span class="n">boto3</span><span class="o">.</span><span class="n">client</span><span class="p">(</span><span class="s1">&#39;iam&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">policies</span> <span class="o">=</span> <span class="n">iam</span><span class="o">.</span><span class="n">list_policies</span><span class="p">(</span><span class="n">Scope</span><span class="o">=</span><span class="s1">&#39;Local&#39;</span><span class="p">)[</span><span class="s1">&#39;Policies&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;arn&#39;</span><span class="p">:</span> <span class="n">p</span><span class="p">[</span><span class="s1">&#39;Arn&#39;</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;name&#39;</span><span class="p">:</span> <span class="n">p</span><span class="p">[</span><span class="s1">&#39;PolicyName&#39;</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;version&#39;</span><span class="p">:</span> <span class="n">iam</span><span class="o">.</span><span class="n">get_policy_version</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="n">PolicyArn</span><span class="o">=</span><span class="n">p</span><span class="p">[</span><span class="s1">&#39;Arn&#39;</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="n">VersionId</span><span class="o">=</span><span class="n">iam</span><span class="o">.</span><span class="n">get_default_version_id</span><span class="p">(</span><span class="n">p</span><span class="p">[</span><span class="s1">&#39;Arn&#39;</span><span class="p">])[</span><span class="s1">&#39;DefaultVersionId&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="p">)[</span><span class="s1">&#39;PolicyVersion&#39;</span><span class="p">][</span><span class="s1">&#39;Document&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">p</span> <span class="ow">in</span> <span class="n">policies</span> </span></span><span class="line"><span class="cl"> <span class="p">]</span> </span></span></code></pre></div><h3 id="2-policy-evaluation">2. Policy Evaluation</h3> <p>Each control should map to a security benchmark (CIS, NIST, SOC2). Example check:</p> https://ankitmaurya.pages.dev/projects/n8n-automation/ Wed, 10 Apr 2024 00:00:00 +0000 https://ankitmaurya.pages.dev/projects/n8n-automation/ <p>Building an AI-powered automation system using n8n for security operations and workflow management.</p> <h2 id="overview">Overview</h2> <p>This system automates security tasks using n8n workflows, AI integrations, and various notification channels.</p> <h2 id="key-components">Key Components</h2> <ul> <li><strong>n8n Engine</strong>: Core workflow automation</li> <li><strong>Telegram Bot</strong>: Alert notifications and commands</li> <li><strong>Webhook Triggers</strong>: Integration with external services</li> <li><strong>AI Processing</strong>: GPT-based analysis and responses</li> </ul> <h2 id="workflow-examples">Workflow Examples</h2> <h3 id="security-alert-pipeline">Security Alert Pipeline</h3> <ol> <li>Receive webhook from security tool</li> <li>Parse alert data</li> <li>Send to AI for classification</li> <li>Route based on severity (Telegram/Email)</li> <li>Log to database</li> </ol> <h2 id="telegram-integration">Telegram Integration</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"><span class="c1">// n8n Telegram node configuration </span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">chatId</span><span class="o">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">TELEGRAM_CHAT_ID</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nx">text</span><span class="o">:</span> <span class="s2">&#34;Security Alert: {{ $json.alert_type }}&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nx">parse_mode</span><span class="o">:</span> <span class="s2">&#34;HTML&#34;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><h2 id="benefits">Benefits</h2> <ul> <li>Automated incident response</li> <li>Reduced manual monitoring</li> <li>Faster alert routing</li> <li>Integration with existing tools</li> </ul> https://ankitmaurya.pages.dev/blog/zero-trust-architecture/ Mon, 08 Apr 2024 00:00:00 +0000 https://ankitmaurya.pages.dev/blog/zero-trust-architecture/ <p>Zero Trust isn&rsquo;t a product you buy—it&rsquo;s a security philosophy you implement. Here&rsquo;s a practical approach to building zero trust in cloud environments.</p> <h2 id="core-principles">Core Principles</h2> <ol> <li><strong>Never Trust, Always Verify</strong></li> <li><strong>Assume Breach</strong></li> <li><strong>Least Privilege Access</strong></li> <li><strong>Verify Explicitly</strong></li> </ol> <h2 id="network-layer">Network Layer</h2> <p>Traditional perimeter security assumes everything inside is trusted. Zero trust rejects this.</p> <h3 id="micro-segmentation">Micro-segmentation</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-hcl" data-lang="hcl"><span class="line"><span class="cl"><span class="c1"># Terraform: Security groups for micro-segmentation </span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="k">resource</span> <span class="s2">&#34;aws_security_group&#34; &#34;app_server&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> name</span> <span class="o">=</span> <span class="s2">&#34;app-server&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> vpc_id</span> <span class="o">=</span> <span class="k">var</span><span class="p">.</span><span class="k">vpc_id</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">ingress</span> { </span></span><span class="line"><span class="cl"><span class="n"> from_port</span> <span class="o">=</span> <span class="m">443</span> </span></span><span class="line"><span class="cl"><span class="n"> to_port</span> <span class="o">=</span> <span class="m">443</span> </span></span><span class="line"><span class="cl"><span class="n"> protocol</span> <span class="o">=</span> <span class="s2">&#34;tcp&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> security_groups</span> <span class="o">=</span> <span class="p">[</span><span class="k">aws_security_group</span><span class="p">.</span><span class="k">load_balancer</span><span class="p">.</span><span class="k">id</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">egress</span> { </span></span><span class="line"><span class="cl"><span class="n"> from_port</span> <span class="o">=</span> <span class="m">5432</span> </span></span><span class="line"><span class="cl"><span class="n"> to_port</span> <span class="o">=</span> <span class="m">5432</span> </span></span><span class="line"><span class="cl"><span class="n"> protocol</span> <span class="o">=</span> <span class="s2">&#34;tcp&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> security_groups</span> <span class="o">=</span> <span class="p">[</span><span class="k">aws_security_group</span><span class="p">.</span><span class="k">database</span><span class="p">.</span><span class="k">id</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl">} </span></span></code></pre></div><p>Services can only communicate with explicitly allowed paths.</p> https://ankitmaurya.pages.dev/blog/container-security/ Wed, 20 Mar 2024 00:00:00 +0000 https://ankitmaurya.pages.dev/blog/container-security/ <p>Container security is critical in modern cloud-native applications. Here&rsquo;s a comprehensive guide to securing your containerized workloads.</p> <h2 id="container-images">Container Images</h2> <h3 id="use-minimal-base-images">Use Minimal Base Images</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-dockerfile" data-lang="dockerfile"><span class="line"><span class="cl"><span class="c"># Bad: Large base image with many dependencies</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="k">FROM</span><span class="s"> ubuntu:22.04</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="c"># Good: Minimal image with just what&#39;s needed</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="k">FROM</span><span class="s"> gcr.io/distroless/static-debian12</span><span class="err"> </span></span></span></code></pre></div><p>Distroless images contain only the application and its runtime dependencies, reducing the attack surface.</p> <h3 id="multi-stage-builds">Multi-Stage Builds</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-dockerfile" data-lang="dockerfile"><span class="line"><span class="cl"><span class="c"># Build stage</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="k">FROM</span><span class="s"> golang:1.22 AS builder</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="k">WORKDIR</span><span class="s"> /app</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="k">COPY</span> . .<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="k">RUN</span> <span class="nv">CGO_ENABLED</span><span class="o">=</span><span class="m">0</span> go build -o main<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="c"># Production stage</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="k">FROM</span><span class="s"> gcr.io/distroless/static-debian12</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="k">COPY</span> --from<span class="o">=</span>builder /app/main /main<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="k">ENTRYPOINT</span> <span class="p">[</span><span class="s2">&#34;/main&#34;</span><span class="p">]</span><span class="err"> </span></span></span></code></pre></div><p>This keeps build tools and source code out of production images.</p> https://ankitmaurya.pages.dev/projects/jwt-analysis/ Tue, 05 Mar 2024 00:00:00 +0000 https://ankitmaurya.pages.dev/projects/jwt-analysis/ <p>Tools and techniques for analyzing JWT tokens for authentication vulnerabilities.</p> <h2 id="jwt-overview">JWT Overview</h2> <p>JSON Web Tokens (JWT) are commonly used for authentication but can introduce security issues if not implemented correctly.</p> <h2 id="common-vulnerabilities">Common Vulnerabilities</h2> <h3 id="algorithm-confusion-alg-none">Algorithm Confusion (alg: none)</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="c1"># Exploit: Change alg to &#34;none&#34; and remove signature</span> </span></span><span class="line"><span class="cl"><span class="n">header</span> <span class="o">=</span> <span class="p">{</span><span class="s2">&#34;alg&#34;</span><span class="p">:</span> <span class="s2">&#34;none&#34;</span><span class="p">,</span> <span class="s2">&#34;typ&#34;</span><span class="p">:</span> <span class="s2">&#34;JWT&#34;</span><span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="n">payload</span> <span class="o">=</span> <span class="p">{</span><span class="s2">&#34;sub&#34;</span><span class="p">:</span> <span class="s2">&#34;1234567890&#34;</span><span class="p">,</span> <span class="s2">&#34;role&#34;</span><span class="p">:</span> <span class="s2">&#34;admin&#34;</span><span class="p">}</span> </span></span></code></pre></div><h3 id="key-confusion-rs256-to-hs256">Key Confusion (RS256 to HS256)</h3> <p>If the server uses RS256 but the library accepts HS256 with the public key as the secret.</p> <h2 id="analysis-tools">Analysis Tools</h2> <ul> <li>JWT.io for manual inspection</li> <li>Custom Python scripts for batch analysis</li> <li>Burp Suite extension for runtime inspection</li> </ul> <h2 id="validation-checklist">Validation Checklist</h2> <ol> <li>Verify signature with correct algorithm</li> <li>Check token expiration (exp claim)</li> <li>Validate audience (aud claim)</li> <li>Ensure proper key management</li> <li>Use strong secret keys (256-bit minimum)</li> </ol> <h2 id="best-practices">Best Practices</h2> <ul> <li>Always validate algorithm expected by your application</li> <li>Use asymmetric algorithms (RS256) when possible</li> <li>Implement token rotation</li> <li>Set appropriate expiration times</li> </ul> https://ankitmaurya.pages.dev/about/ Mon, 01 Jan 0001 00:00:00 +0000 https://ankitmaurya.pages.dev/about/ <p>Hi, I&rsquo;m <strong>Ankit Maurya</strong>.</p> <p>I work in cloud security, application security, and automation engineering. Most of my work revolves around building secure infrastructure, improving visibility across environments, and automating repetitive operational tasks.</p> <p>Over the years, I&rsquo;ve developed a strong interest in practical security engineering — not just theoretical concepts. I enjoy understanding how systems actually work under the hood, breaking down complex architectures, and building secure solutions that are usable in the real world.</p>