Security on Ankit Maurya https://ankitmaurya.pages.dev/tags/security/ Recent content in Security on Ankit Maurya Hugo en Sat, 15 Jun 2024 00:00:00 +0000 MCP Monitoring Tool https://ankitmaurya.pages.dev/projects/mcp-monitoring/ Sat, 15 Jun 2024 00:00:00 +0000 https://ankitmaurya.pages.dev/projects/mcp-monitoring/ <p>This project is a proxy-based monitoring system for inspecting LLM context during conversations. It provides visibility into what&rsquo;s being sent to and from AI models.</p> <h2 id="features">Features</h2> <ul> <li><strong>Context Inspection</strong>: Monitor all prompts and responses going to LLM APIs</li> <li><strong>Security Logging</strong>: Capture and store interaction data for security analysis</li> <li><strong>Real-time Monitoring</strong>: Live view of active conversations</li> <li><strong>Data Export</strong>: Export conversation logs for analysis</li> </ul> <h2 id="architecture">Architecture</h2> <p>The tool sits as a proxy between your application and the LLM API, intercepting all traffic for inspection.</p> Secure Cloudflare Tunnel + Nginx https://ankitmaurya.pages.dev/projects/cloudflare-tunnel/ Mon, 20 May 2024 00:00:00 +0000 https://ankitmaurya.pages.dev/projects/cloudflare-tunnel/ <p>A comprehensive guide to exposing self-hosted services securely using Cloudflare Tunnel and Nginx reverse proxy.</p> <h2 id="why-this-setup">Why This Setup?</h2> <ul> <li>No need to open ports on your firewall</li> <li>Automatic SSL/TLS encryption</li> <li>DDoS protection from Cloudflare</li> <li>Access control via Cloudflare Access</li> </ul> <h2 id="architecture-overview">Architecture Overview</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">User --&gt; Cloudflare --&gt; Tunnel --&gt; Nginx --&gt; Service </span></span></code></pre></div><h2 id="configuration-steps">Configuration Steps</h2> <ol> <li>Create a Cloudflare account and add your domain</li> <li>Install cloudflared on your server</li> <li>Configure the tunnel with your services</li> <li>Set up Nginx as a reverse proxy</li> <li>Configure SSL certificates</li> </ol> <h2 id="nginx-configuration">Nginx Configuration</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">server</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">listen</span> <span class="mi">443</span> <span class="s">ssl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">server_name</span> <span class="s">service.example.com</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">ssl_certificate</span> <span class="s">/etc/ssl/certs/cert.pem</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">ssl_certificate_key</span> <span class="s">/etc/ssl/private/key.pem</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">location</span> <span class="s">/</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_pass</span> <span class="s">http://localhost:8080</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_set_header</span> <span class="s">Host</span> <span class="nv">$host</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_set_header</span> <span class="s">X-Real-IP</span> <span class="nv">$remote_addr</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><h2 id="security-considerations">Security Considerations</h2> <ul> <li>Enable authenticated origin pulls</li> <li>Use Cloudflare Access for sensitive services</li> <li>Implement rate limiting</li> <li>Log all access attempts</li> </ul> Building a CSPM Pipeline: Lessons Learned https://ankitmaurya.pages.dev/blog/cspm-pipeline/ Wed, 15 May 2024 00:00:00 +0000 https://ankitmaurya.pages.dev/blog/cspm-pipeline/ <p>Cloud Security Posture Management (CSPM) pipelines help organizations continuously monitor and improve their security posture. Here&rsquo;s what I learned building CSPM solutions.</p> <h2 id="why-cspm-matters">Why CSPM Matters</h2> <p>Manual security reviews don&rsquo;t scale. As cloud infrastructure grows, you need automated checks that run continuously.</p> <h2 id="core-components">Core Components</h2> <h3 id="1-data-collection">1. Data Collection</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">boto3</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">collect_iam_policies</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">iam</span> <span class="o">=</span> <span class="n">boto3</span><span class="o">.</span><span class="n">client</span><span class="p">(</span><span class="s1">&#39;iam&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">policies</span> <span class="o">=</span> <span class="n">iam</span><span class="o">.</span><span class="n">list_policies</span><span class="p">(</span><span class="n">Scope</span><span class="o">=</span><span class="s1">&#39;Local&#39;</span><span class="p">)[</span><span class="s1">&#39;Policies&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;arn&#39;</span><span class="p">:</span> <span class="n">p</span><span class="p">[</span><span class="s1">&#39;Arn&#39;</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;name&#39;</span><span class="p">:</span> <span class="n">p</span><span class="p">[</span><span class="s1">&#39;PolicyName&#39;</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;version&#39;</span><span class="p">:</span> <span class="n">iam</span><span class="o">.</span><span class="n">get_policy_version</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="n">PolicyArn</span><span class="o">=</span><span class="n">p</span><span class="p">[</span><span class="s1">&#39;Arn&#39;</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="n">VersionId</span><span class="o">=</span><span class="n">iam</span><span class="o">.</span><span class="n">get_default_version_id</span><span class="p">(</span><span class="n">p</span><span class="p">[</span><span class="s1">&#39;Arn&#39;</span><span class="p">])[</span><span class="s1">&#39;DefaultVersionId&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="p">)[</span><span class="s1">&#39;PolicyVersion&#39;</span><span class="p">][</span><span class="s1">&#39;Document&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">p</span> <span class="ow">in</span> <span class="n">policies</span> </span></span><span class="line"><span class="cl"> <span class="p">]</span> </span></span></code></pre></div><h3 id="2-policy-evaluation">2. Policy Evaluation</h3> <p>Each control should map to a security benchmark (CIS, NIST, SOC2). Example check:</p> Zero Trust Architecture: Implementation Guide https://ankitmaurya.pages.dev/blog/zero-trust-architecture/ Mon, 08 Apr 2024 00:00:00 +0000 https://ankitmaurya.pages.dev/blog/zero-trust-architecture/ <p>Zero Trust isn&rsquo;t a product you buy—it&rsquo;s a security philosophy you implement. Here&rsquo;s a practical approach to building zero trust in cloud environments.</p> <h2 id="core-principles">Core Principles</h2> <ol> <li><strong>Never Trust, Always Verify</strong></li> <li><strong>Assume Breach</strong></li> <li><strong>Least Privilege Access</strong></li> <li><strong>Verify Explicitly</strong></li> </ol> <h2 id="network-layer">Network Layer</h2> <p>Traditional perimeter security assumes everything inside is trusted. Zero trust rejects this.</p> <h3 id="micro-segmentation">Micro-segmentation</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-hcl" data-lang="hcl"><span class="line"><span class="cl"><span class="c1"># Terraform: Security groups for micro-segmentation </span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="k">resource</span> <span class="s2">&#34;aws_security_group&#34; &#34;app_server&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> name</span> <span class="o">=</span> <span class="s2">&#34;app-server&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> vpc_id</span> <span class="o">=</span> <span class="k">var</span><span class="p">.</span><span class="k">vpc_id</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">ingress</span> { </span></span><span class="line"><span class="cl"><span class="n"> from_port</span> <span class="o">=</span> <span class="m">443</span> </span></span><span class="line"><span class="cl"><span class="n"> to_port</span> <span class="o">=</span> <span class="m">443</span> </span></span><span class="line"><span class="cl"><span class="n"> protocol</span> <span class="o">=</span> <span class="s2">&#34;tcp&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> security_groups</span> <span class="o">=</span> <span class="p">[</span><span class="k">aws_security_group</span><span class="p">.</span><span class="k">load_balancer</span><span class="p">.</span><span class="k">id</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">egress</span> { </span></span><span class="line"><span class="cl"><span class="n"> from_port</span> <span class="o">=</span> <span class="m">5432</span> </span></span><span class="line"><span class="cl"><span class="n"> to_port</span> <span class="o">=</span> <span class="m">5432</span> </span></span><span class="line"><span class="cl"><span class="n"> protocol</span> <span class="o">=</span> <span class="s2">&#34;tcp&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> security_groups</span> <span class="o">=</span> <span class="p">[</span><span class="k">aws_security_group</span><span class="p">.</span><span class="k">database</span><span class="p">.</span><span class="k">id</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl">} </span></span></code></pre></div><p>Services can only communicate with explicitly allowed paths.</p> Container Security Best Practices https://ankitmaurya.pages.dev/blog/container-security/ Wed, 20 Mar 2024 00:00:00 +0000 https://ankitmaurya.pages.dev/blog/container-security/ <p>Container security is critical in modern cloud-native applications. Here&rsquo;s a comprehensive guide to securing your containerized workloads.</p> <h2 id="container-images">Container Images</h2> <h3 id="use-minimal-base-images">Use Minimal Base Images</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-dockerfile" data-lang="dockerfile"><span class="line"><span class="cl"><span class="c"># Bad: Large base image with many dependencies</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="k">FROM</span><span class="s"> ubuntu:22.04</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="c"># Good: Minimal image with just what&#39;s needed</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="k">FROM</span><span class="s"> gcr.io/distroless/static-debian12</span><span class="err"> </span></span></span></code></pre></div><p>Distroless images contain only the application and its runtime dependencies, reducing the attack surface.</p> <h3 id="multi-stage-builds">Multi-Stage Builds</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-dockerfile" data-lang="dockerfile"><span class="line"><span class="cl"><span class="c"># Build stage</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="k">FROM</span><span class="s"> golang:1.22 AS builder</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="k">WORKDIR</span><span class="s"> /app</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="k">COPY</span> . .<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="k">RUN</span> <span class="nv">CGO_ENABLED</span><span class="o">=</span><span class="m">0</span> go build -o main<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="c"># Production stage</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="k">FROM</span><span class="s"> gcr.io/distroless/static-debian12</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="k">COPY</span> --from<span class="o">=</span>builder /app/main /main<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="k">ENTRYPOINT</span> <span class="p">[</span><span class="s2">&#34;/main&#34;</span><span class="p">]</span><span class="err"> </span></span></span></code></pre></div><p>This keeps build tools and source code out of production images.</p> JWT Security Analysis https://ankitmaurya.pages.dev/projects/jwt-analysis/ Tue, 05 Mar 2024 00:00:00 +0000 https://ankitmaurya.pages.dev/projects/jwt-analysis/ <p>Tools and techniques for analyzing JWT tokens for authentication vulnerabilities.</p> <h2 id="jwt-overview">JWT Overview</h2> <p>JSON Web Tokens (JWT) are commonly used for authentication but can introduce security issues if not implemented correctly.</p> <h2 id="common-vulnerabilities">Common Vulnerabilities</h2> <h3 id="algorithm-confusion-alg-none">Algorithm Confusion (alg: none)</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="c1"># Exploit: Change alg to &#34;none&#34; and remove signature</span> </span></span><span class="line"><span class="cl"><span class="n">header</span> <span class="o">=</span> <span class="p">{</span><span class="s2">&#34;alg&#34;</span><span class="p">:</span> <span class="s2">&#34;none&#34;</span><span class="p">,</span> <span class="s2">&#34;typ&#34;</span><span class="p">:</span> <span class="s2">&#34;JWT&#34;</span><span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="n">payload</span> <span class="o">=</span> <span class="p">{</span><span class="s2">&#34;sub&#34;</span><span class="p">:</span> <span class="s2">&#34;1234567890&#34;</span><span class="p">,</span> <span class="s2">&#34;role&#34;</span><span class="p">:</span> <span class="s2">&#34;admin&#34;</span><span class="p">}</span> </span></span></code></pre></div><h3 id="key-confusion-rs256-to-hs256">Key Confusion (RS256 to HS256)</h3> <p>If the server uses RS256 but the library accepts HS256 with the public key as the secret.</p> <h2 id="analysis-tools">Analysis Tools</h2> <ul> <li>JWT.io for manual inspection</li> <li>Custom Python scripts for batch analysis</li> <li>Burp Suite extension for runtime inspection</li> </ul> <h2 id="validation-checklist">Validation Checklist</h2> <ol> <li>Verify signature with correct algorithm</li> <li>Check token expiration (exp claim)</li> <li>Validate audience (aud claim)</li> <li>Ensure proper key management</li> <li>Use strong secret keys (256-bit minimum)</li> </ol> <h2 id="best-practices">Best Practices</h2> <ul> <li>Always validate algorithm expected by your application</li> <li>Use asymmetric algorithms (RS256) when possible</li> <li>Implement token rotation</li> <li>Set appropriate expiration times</li> </ul>