WebVeta - Advanced, unified, consistent search for your website(s), from content of your website(s), blogs(s). First 50 customers, who sign-up prior to 15/05/2024 get unlimited access to existing features, newer features for at least 1 year. Sign up now! https://webveta.alightservices.com/
Categories
.Net C# Cryptography

BenchmarkDotNet with hash implementation in C#

In earlier blog post:

I have discussed about cryptographic and non-cryptographic hashes.

Here is a Github repo associated with this:

https://github.com/ALightTechnologyAndServicesLimited/Benchmark-Hash-Implementations-in-CSharp

For using BenchmarkDotNet:

Add the nuget package to a console application:

dotnet add package BenchmarkDotNet --version 0.13.7

Create a class and use the attributes [GlobalSetup] for any initialization, use the [Benchmark] attribute for the methods. Use [MemoryDiagnoser] for memory related information.

In the Program.cs use:

BenchmarkRunner.Run<BENCHMARK_CLASS>();

The code in the github repo clearly demonstrates the usage.

In the previous blog post I have mentioned about non-cryptographic hashes for general purposes.

Here are the results:

32 bytes data:

I commented some code and evaluated with more data sizes:

25 KB:

5 MB:

25 MB:

Conclusion:

For non-cryptographic 128 bit hashes use Murmur3.

I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.

Categories
.Net C# Cryptography

A discussion of cryptographic hash and non-cryptographic hash implementations using C#

Hash algorithms take some data and create fixed size representation. The representations can be of various sizes such as 32/64/128/256/512 bytes.

Hash generated are in-general non-reversible i.e you can’t get the original data from hash.

Cryptographic hashes use some high level of cryptography and should be used for sensitive information such as passwords etc…

Non-cryptographic hash implementations can be used for general information.

SHA256, SHA384 and SHA512 are for cryptographic hashes.

The above mentioned SHA implementations are secure but little slower.

Here are some faster hash implementations for non-secure data purposes:

FastHash – Can generate 32/64/128 bit hashes.

var sometext = "SOME TEXT";

ReadOnlySpan<byte> data = new ReadOnlySpan<byte>(Encoding.UTF8.GetBytes(sometext));

var retVal = FastHash.HashGenerator.GenerateHash128(data);

var guid = retVal.AsGuid().ToString();
          OR
Convert.ToBase64String(retVal.AsSpan());

MurmurHash3 – Generates 128 bit hash and faster than FastHash’s 128 bit implementation.

var sometext = "SOME TEXT";

var data = Encoding.UTF8.GetBytes(sometext);

var retVal = murmurHasher.ComputeHash(data);

var guid = Convert.ToBase64String(retVal);

BLAKE2 – Generates 1-64 bytes i.e 8-512 bits hash.

var sometext = "SOME TEXT";

var bytes2 = Blake2Fast.Blake2b.ComputeHash(new ReadOnlySpan<byte>(Encoding.UTF8.GetBytes(sometext)));

var guid = Convert.ToBase64String(bytes2);

For specifying the hash-size in bytes use the overload for ComputeHash.

var bytes2 = Blake2Fast.Blake2b.ComputeHash(new ReadOnlySpan<byte>(<bytes>, Encoding.UTF8.GetBytes(sometext)));

The value of <bytes> can be between 1 and 64.

I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.

Categories
.Net C# NLog UnitTests

Code Coverage in .Net 2023

In the past, I have written a blog post about code coverage using NUnit, OpenCover and ReportGenerator https://www.alightservices.com/2022/06/23/code-coverage-in-net/.

OpenCover development has stopped for over 2 years.

This blog post talks about another tool known as Coverlet.

This blog posts has a accompanying Github repo – https://github.com/ALightTechnologyAndServicesLimited/CodeCoverage/

The code has 4 methods regarding DateTime class. And 3 helper methods:

  • double GetUnixEpoch(DateTime)
  • DateTime GetDateTimeFromUnixEpoch(double)
  • long GetYYYMMDD(DateTime)
  • bool IsLeapYear(int)

There are 9 unit tests for the above mentioned 4 methods.

The batch file – RunCodeCoverage.bat has the commands.

The usage is very simple, add the Coverlet nuget package, install the ReportGenerator tool and run some commands. Navigate to the unittest project.

dotnet add package coverlet.collector

dotnet tool install -g dotnet-reportgenerator-globaltool

The nuget package coverlet.collector needs to be added for every unit test project. The reportgenerator can be installed once.

Then run this command for invoking coverlet:

dotnet test --collect:"XPlat Code Coverage"

This generates a xml file under TestResults/[some-random-guid].

This xml file would be used by reportgenerator for generating HTML report:

reportgenerator.exe "-reports:TestResults**.*.xml" "-targetdir:report"

The above command looks for xml files under TestResults/* folder and generates HTML reports under report folder.

The HTML report looks like this. If there is any code that was not covered under unit test, those can be seen easily. The following screenshots have 100% code coverage, but if there is any code not covered, the code would be shown in red.

I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.

Categories
.Net EntityFramework MariaDB MySQL

MySQL DBFirst using Entity Framework

If there is an existing database and if you need to use Entity Framework, use Database First approach. Have Entity Framework generate the DBContext and the classes.

Install / Update Entity Framework tool:

dotnet tool install --global dotnet-ef
dotnet tool update --global dotnet-ef

Add the following nuget packages:

Microsoft.EntityFrameworkCore
Microsoft.EntityFrameworkCore.Design
Microsoft.EntityFrameworkCore.Relational
Pomelo.EntityFrameworkCore.MySql
Pomelo.EntityFrameworkCore.MySql.Design

Then run the following command:

dotnet ef dbcontext scaffold "Server=<SERVER>;User=<USERNAME>;Password=<PASSWORD>;Database=<DATABASE>;"  "Pomelo.EntityFrameworkCore.MySql"

The EF classes and DBContext gets scaffolded.

I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.

Categories
.Net C# Cryptography Security

Symmetric encryption using TripleDES in C#

Symmetric encryption is an encryption technique where the same set of keys are used for encryption and decryption. Whereas, Asymmetric encryption uses different keys i.e public key for encryption and associated private key for decryption.

TripleDES is an algorithm for implementing symmetric encryption.

TripleDES uses Key and IV.

public string EncryptTripleDES(string plainText, byte[] Key, byte[] IV)
{
    byte[] encrypted;
    using (TripleDESCryptoServiceProvider tdes = new TripleDESCryptoServiceProvider())
    {
        ICryptoTransform encryptor = tdes.CreateEncryptor(Key, IV);
        using (MemoryStream ms = new MemoryStream())
        {
            using (CryptoStream cs = new CryptoStream(ms, encryptor, CryptoStreamMode.Write))
            {
                using (StreamWriter sw = new StreamWriter(cs))
                    sw.Write(plainText);
                encrypted = ms.ToArray();
            }
        }
    }
    return Convert.ToBase64String(encrypted);
}

The above code snippet is for encryption.

public string DecryptTripleDES(string cipherText, byte[] Key, byte[] IV)
{
    string plaintext = null;
    var cipherBytes = Convert.FromBase64String(cipherText);
    using (TripleDESCryptoServiceProvider tdes = new TripleDESCryptoServiceProvider())
    {
        ICryptoTransform decryptor = tdes.CreateDecryptor(Key, IV);
        using (MemoryStream ms = new MemoryStream(cipherBytes))
        {
            using (CryptoStream cs = new CryptoStream(ms, decryptor, CryptoStreamMode.Read))
            {
                using (StreamReader reader = new StreamReader(cs))
                    plaintext = reader.ReadToEnd();
            }
        }
    }
    return plaintext;
}

The above code snippet is for Decryption.

My open-source tool LightKeysTransfer uses TripleDES and the accompanying source code can be found at:

https://github.com/ALightTechnologyAndServicesLimited/LightKeysTransfer

The encryption/decryption related code can be found at:

https://github.com/ALightTechnologyAndServicesLimited/LightKeysTransfer/blob/main/LightKeysTransfer/LightKeysTransfer/CryptHelper.cs

I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.

Categories
.Net C# Cryptography Security

An overview of RSA for asymmetric encryption, decryption using C#

The RSACryptoServiceProvider in C# provides way for asymmetric encryption and decryption. The encryption happens using public key. The encrypted data can be decrypted only by the associated private key.

The implementation supports keys of sizes varying from 512 bits to 16,384 bits. The larger the key size, the more secure but slower. Depending on the size of the key, the amount of data that can be encrypted would be different.

The public key can be exported and passed for encrypting data. The private key needs to be properly secured.

My open source project LightKeysTransfer uses RSA for encryption and decryption. CryptHelper.cs has the code implementation.

var rsa = RSACryptoServiceProvider.Create(2048);
var rsa2 = RSACryptoServiceProvider.Create(2048);

// code for exporting the public key
var publicKey = rsa.ToXmlString(false);

// code for importing the public key on a different instance
rsa2.FromXmlString(publicKey);

// code for getting bytes from string, there are several other ways of converting text into bytes
var plainBytes = UTF8Encoding.UTF8.GetBytes("Hello!");

// code for encrypting 
var encryptedBytes = rsa2.Encrypt(plainBytes, RSAEncryptionPadding.OaepSHA512);

// code for decrypting
var decryptedBytes = rsa.Decrypt(encryptedBytes, RSAEncryptionPadding.OaepSHA512);

In a different blog post in the next few days, I would post about TripleDES, I am implementing a combination of TripleDES and RSA for encrypting and decrypting slightly larger data. Larger data cannot be encrypted using RSA!

I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.

Categories
Security

How to get alerts for SSH / OpenVPN logins on AWS EC2 or any other debian/ubuntu based servers

This blog post is specifically for AWS EC2 but the same concepts can be used in any Ubuntu based environments.

This is part of my personal effort in enhancing the cyber-security of my own startup – ALight Technology And Services Limited and ALight Technologies USA Inc. I am using multi-cloud environment for additional security. I have workloads in Azure, AWS! Azure has more important workloads. I am trying to come up with a plan where if an attacker hacks one of the accounts, the critical workload in Azure should not be accessible. This is pretty much like creating multiple layers of security. In other words this is like multi-MFA accounts security with various multi-factor authentication methods.

At least during locked-down period, the multi-MFA accounts security level would enhance the security. During maintenance window this level of security wouldn’t be possible and I am planning some monitoring, alerts and automatic mitigations if abnormal activity gets detected during maintenance windows based on logs, metrics. And even automatic terminations for any higher abnormal activity. Almost like a self-developed, zero trust system, intrusion detection and prevention system.

Here are several related blog posts:

The spy-attackers-toes (I think extremist division of R&AW, spying organization of my own country, India) = terrorist odour can utmost do screenshots but cannot directly access the servers. This is one man’s effort against an army of anonymous spy-hackers. Shame on the bribery/extortion/ransom takers. sugarified word – taking – harsh reality = extortion/ransom, instead they could have opted to asking for help.

In AWS configure a SNS topic to send alerts to emails / SMS to phone. Add the emails and phone numbers, subscribe and validate the emails and phones.

Create a role for use with EC2 instances and give permission for publish to the SNS topic.

When launching the SNS use associate the IAM role with permission for publishing.

Install aws cli.

> sudo apt install awscli

Create a script for example / var/LoginAlert/LoginAlert.sh

#!/bin/bash
aws sns publish --topic-arn <ARN_OF_SNS_TOPIC> --message "User Logged In!" --region <AWS_REGION>
exit 0

Replace the ARN and Region with your own ARN and Region of the SNS topic.

Instead of “aws sns publish”, we can use any other executable such as writing some customcode and writing into some database for audit purposes, send alert via various other methods such as Slack etc… Or may be even a curl request to Slack.

https://api.slack.com/tutorials/tracks/posting-messages-with-curl

Give execute permissions on the script

sudo chmod +x /var/LoginAlert/LoginAlert.sh

Edit the file /etc/profile

sudo nano /etc/profile

Add the following code:

/var/LoginAlert/LoginAlert.sh

Now, reboot and re-login, you should have received an alert.

Now for OpenVPN, we can use the same script. Edit server.conf usually under /etc/openvpn or /etc/openvpn/server. Add the following lines:

client-connect "/var/LoginAlert/LoginAlert.sh"
script-security 2

Now, try connecting to your VPN instance, you should receive an alert.

I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.

Categories
AWS Azure Security VPN

WireGuard, OpenVPN, Pro Custodibus, TailScale

In my startup – ALight Technology And Services Limited, I don’t have any employees. I do everything myself. I know .Net web development. These other activities are something new for me.

Most of you know, I have been looking for secure, efficient way of accessing servers hosted in my AWS and Azure accounts. This effort is part of productionizing WebVeta and securing the servers.

I have written some blog articles about OpenVPN in the past and how-to automate changing keys using some C# code at random for higher security.

This blog post is about few other alternatives and some tips.

WireGuard is another free VPN software! But the problem 256-bit key. i.e less secure but high throughput. One possible way is by rotating the key on a timely basis. There is another software known as Pro Custodibus, that helps in rotating keys and managing keys + MFA!

OpenVPN is very highly configurable and can support 2048 bit keys and above.

How to easily install OpenVPN and some easy C# code snippets for Process class

The above blog post talks about how to install and use some C# code for re-generating server and client side keys. The above blog post allows keys + password protection for the ovpn file i.e 2 layers of higher security.

OpenVPN has the following interesting options for further security / monitoring and alerting:

--ipchange cmd
--route-up cmd
--route-pre-down cmd
--ping-exit n
--up cmd
--down cmd
--down-pre
--up-restart
--client-connect
--client-disconnect
--auth-user-pass-verify cmd method
--auth-gen-token [lifetime]
--single-session

Using some of these options and commands, alerts can be generated by either using scripts or programs. I would use C#, but any programming language or even shell scripts can be used.

Using –auth-user-pass-verify 3rd level of security can be added i.e an additional username + password security can be added.

–single-session allows one and only one session, no session re-negotiation – Probably perfect for my scenario.

TailScale is a very nice VPN management software and has a very generous free-tier of upto 100 devices and 3 users. With a little bit of custom programming and using TailScale the security can be increased and can be easily managed. However, one of the biggest problems I saw was registering servers. TailGate displays a URL in plain-text, the URL needs to be entered in browser and authenticated for registering a server in TailGate. If anyone knows the URL and if they authenticate before you, they can try to take-over the server and of-course you can immediately terminate server etc…

I think re-gistering servers should be 2 way i.e

  1. In the website allow copying some random GUID (don’t show the GUID in plain text).
  2. In the server after tailscale up, prompt for the GUID, treat the GUID like password, allow pasting but don’t echo the GUID.
  3. Generate another unique GUID on the server and display.
  4. User copies the server-side GUID and pastes in the website.
  5. Now pair the servers

Even if someone somehow steals the first GUID and pastes in their server, the second GUID generated by their server would be different and can’t be paired.

If someone steals the second guid, their browser-side first guid associated with their account would be different and can’t be paired.

Meanwhile TailScale pairing can be done little securely using my opensource tool – https://github.com/ALightTechnologyAndServicesLimited/LightKeysTransfer – This feature to be implemented, I would make an announcement when the feature gets implemented.

The feature would be very simple, instead of displaying the URL, the URL would be encrypted, use the client-mode part of tool for decrypting, copy and paste in small-sized browser window and approve.

This feature request has been submitted – https://github.com/tailscale/tailscale/issues/8823

I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.

Categories
.Net C# Linux Security

How to easily install OpenVPN and some easy C# code snippets for Process class

This blog article is based on the script provided at:

https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh

This script has been slightly modified for certain reasons mentioned below:

  1. The above script uses pre-defined dh.pem (My version generates a new random 2048 bit dh params)
  2. The above script generates client cert without password (My version mandates password and allows specifying the passwords in a separate file)
  3. The above script generates certificates with 10 years validity (My version generates certificates with 1 day validity i.e because I plan to re-generate certificates often, hmmmm, more like One time use certificates like OTP’s)

I have mentioned in a previous blog post – https://www.alightservices.com/2023/08/03/a-method-for-randomizing-vpn-security-for-cloud-based-workloads-alight-technology-and-services-limited/

I am looking for ways to randomize server-side cert, client ovpn, etc…

This script is part of the effort.

The script is attached here. Later a separate GitHub repo with some demo code would be provided. Then this blog post would be updated.

https://www.alightservices.com/wp-content/uploads/2023/08/openvpn-install.sh_.zip

Download the zip file, unzip, change the extension i.e remove .txt.

Provide execute permissions and execute the script.

> wget https://www.alightservices.com/wp-content/uploads/2023/08/openvpn-install.sh_.zip

> unzip openvpn-install.sh_.zip

> mv openvpn-install.sh.txt openvpn-install.sh

> sudo chmod +x openvpn-install.sh

> echo 'password
password' > infile

> cp infile outfile

> ./openvpn-install.sh

In the above snippets, infile and outfile contains the same password two times on two different lines. Replace the password with what’s necessary or use some tools or utilities for generating password and writing into infile and outfile.

Now the C# part:

Using C# code, it’s very easy to generate random passwords and writing the passwords to infile, outfile.

System.Diagnostics.Process class allows executing shell scripts on Linux. Let’s look at some code sample:

Process process = new();
process.StartInfo.WorkingDirectory = "/path";
process.StartInfo.FileName = "/path/openvpn-install.sh";
process.StartInfo.Arguments = "";
process.EnableRaisingEvents = true;
process.Exited += Process_Exited;
process.ErrorDataReceived += Process_ErrorDataReceived;
process.OutputDataReceived += Process_OutputDataReceived;
process.StartInfo.RedirectStandardInput = true;
process.Start();
.
.
.
process.WaitForExit();


void Process_ErrorDataReceived(object sender, DataReceivedEventArgs e)
{
    // Do whatever is necessary with e.Data;
}

void Process_OutputDataReceived(object sender, DataReceivedEventArgs e)
{
     // Do whatever is necessary with e.Data;
}

void Process_Exited(object? sender, EventArgs e)
{
     // Handle code if necessary
}

In the above code snippet, we are executing a shell script located inside /path directory.

Because we are re-directing StandardInput by setting RedirectStandardInput = true, we can enter different values programatically on a necessary basis.

Or in the above shell script, the interactive prompts can be removed and pre-defined values can be used.

Using the above mentioned script, C# code snippets and by having passwords inside file, it becomes very easy to generate new server and client certificates and re-genrate certificates.

BTW the above mentioned script generates /etc/openvpn/server/server.conf, the following code server-config snippets might be of use, if needed add manually or update the script.

max-clients n
log /var/log/openvpn/openvpn.log
status /var/log/openvpn/status.txt

max-clients limits the maximum number of simultaneous connections.

log – writes log file, the verbosity can be controlled using verb. verb value of 9 means very verbose.

status – a little text file having information about current clients connections.

I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.

Categories
Security

A method for randomizing VPN security for cloud based workloads – ALight Technology And Services Limited

One of the most important software is VPN for connectivity. There are two famous options in Open-Source world:

  1. Wireguard
  2. OpenSSH

Irrespective of which software is being used, this articles describes a methodology for Zero trust security architecture for accessing cloud workloads.

The problem:

The rogue R&AW spying equipment capable of seeing, reading mind etc…

If I know or see IP’s they know IP’s. If I know or see passwords / keys, they know passwords and keys.

Solution:

Random keys generated programatically, transferred programatically, configs updated programatically, random IP of VPN server, random port for VPN, breach detection, log monitoring, pre-defined maximum interval before keys, IPs, Ports get randomized – periodically, programatically.

This article describes an approach at a high level, but very configurable and customizable.

Component – 1: AWS Lambda / Azure Function

The server can be spun up programatically from a pre-defined Golden Base Image based on a trigger such as AWS Lambda or Azure Function. The criteria for Lambda / Function is out of scope but can be done based on your needs. Now we have random public IP address.

Component – 2: Server-side daemon on Linux machine

This component is responsible for programatically re-generating keys or ovpn file based on the VPN software.

This component randomizes the VPN port and programatically updates the configuration files.

Opens the new port in Firewall programatically.

Starts the VPN service.

Periodically stops VPN, resets keys, ports, updates config and starts VPN service.

Encrypts and passes the public IP of the VM, new random port, public key or ovpn file.

This information needs to be passed to Component 3 mentioned below. How can the information be passed? There are several techniques i.e through some web dashboard etc… i.e users would go to some pre-defined web portal, download an encrypted file containing encrypted information or in some other way.

Component – 3: Client Components

This component takes the encrypted info, updates client-side config on a necessary basis, encrypts any info that needs to be sent to the portal. If any info needs to be passed, the encrypted file would be uploaded and Component-2 would allow the users.

The Client would be responsible for letting users know of till when the new VPN credentials are valid etc…

Makes appropriate config changes.

I am implementing similar system mentioned above, I would be happy to share some code snippets and some further details.

In the above scenario, I wouldn’t know the public IP or port or keys of the VPN server and client and wouldn’t be displayed on screen. Now what can the hackers – Uttam / Veera / Diwakar / e / fake females and Bojja Srinivas do?

If shown on screen, they might record or do screenshots using invisible equipment, in the above scenario, what can they do? If the keys are automatically rotated every few hours, Lambda shutsdown and spins up new instances every few hours, what can they do?

I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.