Add free search for your website. Sign up now! https://webveta.alightservices.com/

Year: 2023

Categories
Security

A method for randomizing VPN security for cloud based workloads – ALight Technology And Services Limited

One of the most important software is VPN for connectivity. There are two famous options in Open-Source world:

  1. Wireguard
  2. OpenSSH

Irrespective of which software is being used, this articles describes a methodology for Zero trust security architecture for accessing cloud workloads.

The problem:

The rogue R&AW spying equipment capable of seeing, reading mind etc…

If I know or see IP’s they know IP’s. If I know or see passwords / keys, they know passwords and keys.

Solution:

Random keys generated programatically, transferred programatically, configs updated programatically, random IP of VPN server, random port for VPN, breach detection, log monitoring, pre-defined maximum interval before keys, IPs, Ports get randomized – periodically, programatically.

This article describes an approach at a high level, but very configurable and customizable.

Component – 1: AWS Lambda / Azure Function

The server can be spun up programatically from a pre-defined Golden Base Image based on a trigger such as AWS Lambda or Azure Function. The criteria for Lambda / Function is out of scope but can be done based on your needs. Now we have random public IP address.

Component – 2: Server-side daemon on Linux machine

This component is responsible for programatically re-generating keys or ovpn file based on the VPN software.

This component randomizes the VPN port and programatically updates the configuration files.

Opens the new port in Firewall programatically.

Starts the VPN service.

Periodically stops VPN, resets keys, ports, updates config and starts VPN service.

Encrypts and passes the public IP of the VM, new random port, public key or ovpn file.

This information needs to be passed to Component 3 mentioned below. How can the information be passed? There are several techniques i.e through some web dashboard etc… i.e users would go to some pre-defined web portal, download an encrypted file containing encrypted information or in some other way.

Component – 3: Client Components

This component takes the encrypted info, updates client-side config on a necessary basis, encrypts any info that needs to be sent to the portal. If any info needs to be passed, the encrypted file would be uploaded and Component-2 would allow the users.

The Client would be responsible for letting users know of till when the new VPN credentials are valid etc…

Makes appropriate config changes.

I am implementing similar system mentioned above, I would be happy to share some code snippets and some further details.

In the above scenario, I wouldn’t know the public IP or port or keys of the VPN server and client and wouldn’t be displayed on screen. Now what can the hackers – Uttam / Veera / Diwakar / e / fake females and Bojja Srinivas do?

If shown on screen, they might record or do screenshots using invisible equipment, in the above scenario, what can they do? If the keys are automatically rotated every few hours, Lambda shutsdown and spins up new instances every few hours, what can they do?

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.

Categories
Apache Security

ASP.Net MVC Core on Apache and more

Apache webserver is very popular web server, NGinx is also popular. I have used NGinx in the past as a proxy for ASP.Net MVC Core web applications that were developed by me – SimplePass, PodDB, WebVeta.

I have used Apache in some situations such as self-hosted Grafana and planning to use for self-hosted Jenkins. Apache is very customizable with plugins.

In the self-hosted Grafana use-case, I wanted MFA authentication, I have used auth_openidc module of Apache for adding a security layer. Now, my Google login is protected by YubiKey Bio – Biometric Authentication MFA and by using this technique, my Grafana instance has been protected with the same level of biometric authentication.

auth_openidc

A quickstart on how to use auth_openidc is available at: https://auth0.com/docs/quickstart/webapp/apache/01-login

When running ASP.Net core applications, NGinx / Apache or any other web server that can act as a proxy can forward requests to Kestrel server (usually port 5000, but configurable).

<VirtualHost *:*>
    RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}s
</VirtualHost>

<VirtualHost *:80>
    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:5000/
    ProxyPassReverse / http://127.0.0.1:5000/
    ServerName www.domain.com
    ServerAlias *.domain.com
    ErrorLog ${APACHE_LOG_DIR}/app-error.log
    CustomLog ${APACHE_LOG_DIR}/app-access.log common
</VirtualHost>

Here are a list of interesting Apache modules, I personally have not used these yet, but thought are very interesting.

ModSecurity: WAF (Web Application Firewall)

mod_alias – Provides for mapping different parts of the host filesystem in the document tree and for URL redirection
mod_allowmethods – Easily restrict what HTTP methods can be used on the server
mod_cache – RFC 2616 compliant HTTP caching filter.
mod_evasive – Evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. Also designed to be a detection and network management tool.
mod_file_cache – Caches a static list of files in memory
mod_headers – Customization of HTTP request and response headers
mod_honeypot – Blocks requests from IP addresses blacklisted by Project Honey Pot.
mod_http2 – Support for the HTTP/2 transport layer
mod_ipblock – CIDR-based IPv4 address blocking.
mod_log_config – Logging of the requests made to the server.
mod_log_debug – Additional configurable debug logging
mod_log_forensic – Forensic Logging of the requests made to the server
mod_logio – Logging of input and output bytes per request

mod_ratelimit – Bandwidth Rate Limiting for Clients

The above list is NOT exhaustive, but definitely helpful for web server defense, forensic logging etc… I plan to use some of these in the future.

References:

https://en.wikipedia.org/wiki/List_of_Apache_modules

https://httpd.apache.org/docs/2.4/mod/

https://auth0.com/docs/quickstart/webapp/apache/01-login

https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/linux-apache?view=aspnetcore-7.0

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.

Categories
.Net C#

Polly library for writing resilient .Net code

Polly is a .Net library for writing resilient .Net code. The library can be found at: https://github.com/App-vNext/Polly.

Most of yesterday and this morning, I have been playing around with this library and found the library very useful.

When we develop modern web applications, we consume various services such as internal or 3rd party REST / SOAP / gRPC services. Sometimes, the 3rd party service might be intermittently unavailable. Polly allows a fluid way of re-writing resilient code.

There are several different policies available in Polly, but I liked Retry, Timeout, RateLimit, Cache, PolicyWrap.

The extensive documentation is very well-written and thanks to the 70 contributors who have put in effort for making a perfectly useful library and extensive documentation.

The retry policy, allows retrying multiple times, we can even specify how many times to retry, how long to wait before each retry etc…

Getting started code:

var retryThricePolicy = Policy.Handle<Exception>().Retry(2);

retryThricePolicy.Execute(() => {
      DoSomething()
   }
);

In the above code, we defined a policy to retry two more times if an Exception is thrown, we are not introducing any delay – not recommended for Production, because we want to use Exponential Backoff strategy.

The next line of code we are using the policy to execute the method DoSomething. In reality, we can have few more lines of code.

For introducing delay instead of Retry, we can use WaitAndRetry().

Timeout() is for handling timeouts.

Cache() for write-through caching strategy.

RateLimit for handling rate limits i.e x number of request per second or per minute etc…

PolicyWrap for a combination of policies.

Carefully by observing and implementing this pattern, lot of routine boiler plate code can be removed and code can be made more consistent.

I might make another blog post in the future on the usage of Func, Action and how Polly type of code can be written, and how some routine boiler plate code can be avoided.

For example, look at the following code:

try
{
   DoSomething();
   DoSomethingElse();
}
catch(Exception e)
{
   logger.Error(message, e);
}

Instead we can implement something like this:

public static void Invoke(Action action, bool reThrow = false)
{
   try {
      action();
   }
   catch (Exception e) {
      logger.LogError(e);
      if (reThrow) throw;
   }
}

Now the code can be something like:

Invoke(() => {
   DoSomething();
   DoSomethingElse();
});

For 2 lines of code, we wrote some boiler code and ended up with 9 lines of code i.e 7 lines of overhead code.

By using a Invoke() helper method, the overhead has been significantly reduced.

This pattern can be used in several situations.

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.

Categories
.Net C#

Easily send alerts to Slack channel using C# and Incoming WebHooks Custom Integration

In this blog post, I am going to show a very simple example of how to send alerts to a Slack channel using C#.

Add a custom integration in Slack, search for Incoming WebHooks and add the custom integration. Make a note of the URL and as much as possible, consider the URL like sensitive information and store in a secret location, the reason – anyone can start sending fake messages / spam. But that’s beyond the scope of the article.

Now let’s look at some C# code:

public class Message
{
    [JsonProperty("text")]
    public string Text { get; set; }
}

In the above code, we have defined a class called Message, with a property known as Text for holding the message.

var url = "https://hooks.slack.com/services/xxx/xxxx/xxxx";
var message = new Message { Text = "Hello!" };

using (WebClient client = new WebClient())
{
    NameValueCollection data = new NameValueCollection();
    data["payload"] = JsonConvert.SerializeObject(payload);

    var response = client.UploadValues(url, "POST", data);
}

Very simple and easy to use. As part of the plan to stabilize and prepare for the production launch of WebVeta, I have been reviewing some security measures and alerts, which are developed and implemented by me at my own startup(s) – ALight Technology And Services Limited and ALight Technologies USA Inc. While reviewing I found some possible security lapses and wanted to close / minimize the security risks and implement some additional internal custom-built intrusion monitoring, alerting, preventing system. Apart from emails, I though of adding Slack and Slack integration seems very simple and straightforward.

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.

Categories
Javascript React

React Functional Components, showing or hiding content based on conditions

In React Functional components, content can be shown or hidden based on conditions.

function Component1 {
    return (
        <React.Fragment>
            <p>Hello!</p>
        </React.Fragment>
    );
}

The above component would always show the paragraph with the text “Hello!”. Now, let’s say if we are displaying content conditionally, we can use the following syntax:

function Component1 {
    const [condition, setCondition] = React.useState(false);

    return (
        <React.Fragment>
            {condition && (
                <React.Fragment>
                    <p>Condition is true!</p>
                </React.Fragment>
            )}
            {!condition && (
                <React.Fragment>
                    <p>Condition is false!</p>
                </React.Fragment>
            )}
            <p>Hello!</p>
        </React.Fragment>
    );
}

In the above code snippet, we have created a state variable condition and initialized to false. If condition is true, the paragraph with text – “Condition is true!” would be displayed. If condition is false, the paragraph with text – “Condition is false!” would be displayed. Irrespective of the value of condition, the paragraph with the text – “Hello!” would be displayed.

Based upon the application, the value of condition can be changed and the application’s user interface would be updated appropriately.

setCondition(true);

The above coding pattern can be used for example for displaying a “Please wait” message while some data is loading. Or showing a table only when there is data, else showing something like “No data!”

React can be progressively integrated into existing websites or for new websites, very easy learning curve and can be run from browser without even having the node based server-side rendering. Of course, node based server-side rendering etc… can be done like other SPA frameworks.

The production version of React in-browser scripts are ~132kb and about ~45.1kb compressed and can be used from CDNs. The custom JSX code can be transpiled before production deployment for slightly faster performance without using babel in browser.

This would be the content of a future post. In the post, I would discuss about transpiling and minifying.

Compressing and serving with gzip / brotli or even using your own CDN’s in the cloud is an entirely different topic, but can be done easily for static content.

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.

Categories
.Net C# Solr

Some SolrNET C# programming tips

SolrNet – is a .Net based library for interacting with Solr using C#.

Solr is a full-text engine server built on top of Apache Lucene. Apache Lucene is a full-text engine.

SolrNet is a C# library for easily generating the REST calls for interacting with Solr server.

One of the most important class is the QueryOptions class. The QueryOptions class allows to specify several options and probably some options need own blog posts.

For paging the results, the following options can be used:

var pageNumber = 2;

var options = new QueryOptions()
            {
                Rows = 10,               
                StartOrCursor = new StartOrCursor.Start((pageNumber - 1) * 10)
            };

The above code shows getting 10 results, starting from the 11th. The pageNumbers variable was 2, so (pageNumber – 1) * 10 would mean 10. The default 0 i.e from the beginning.

Another useful option is specifying the Fields to retrieve. Think of this like specifying the columns to retrieve in SQL statement instead of all i.e SELECT col1, col2 instead of SELECT *.

var options = new QueryOptions()
{
    Fields = new[] { "col1", "col2" }
};

I am hoping this blog post helps someone.

BTW, LMAO! Funny seeing little scumbags of planet earth using some powerful spying equipment and they trying to pass commands. The scumbags/pests/leeches and sl*ts with the equipment have false prestige and false propaganda.

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.

Categories
MySQL

MySQL “FOR UPDATE” And “SKIP LOCKED” clauses

MySQL has two special clauses that are very useful in certain scenarios.

FOR UPDATE:

In certain scenarios, we need atomicity i.e we try to lock certain rows, do something and then update the set of rows. FOR UPDATE clause is specifically for this reason.

Example:

START TRANSACTION;

SELECT * FROM table WHERE col1 BETWEEN 1 AND 5
FOR UPDATE;

....

COMMIT;

At this point whatever rows match the criteria, would be locked, the rows can be updated as per needs and COMMIT or ROLLBACK.

However, if there are other queries running in parallel, the performance might be slightly affected. Specifically, in large-scale multi-threaded applications. For this we would use SKIP LOCKED, i.e the other query would run, skipping the rows that were locked.

Now combing these two concepts, we can write a sql statement that locks some rows based on WHERE criteria and other sql statements can still continue happen.

START TRANSACTION;

SELECT * FROM table WHERE col1 BETWEEN 1 AND 5
FOR UPDATE SKIP LOCKED;

....

COMMIT;

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.

Categories
.Net Azure Key Vault Security

How to use Azure Key Vault for Secrets!

Azure Key Vault is a service for storing sensitive information such as passwords etc…

The following nuget packages are:

Azure.Security.KeyVault.Secrets
Azure.Identity

The following code snippet is for accessing Azure Key Vault programatically.

var kvClient = new Azure.Security.KeyVault.Secrets.SecretClient(new Uri([URL]), new DefaultAzureCredential());

    var result = await kvClient.SetSecretAsync("Hello", "Hello1");

    var secret = await kvClient.GetSecretAsync("Hello");
    Console.Write(secret.Value.Value);

The above code snippet assumes RBAC based authentication.

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.

Categories
Welcome

Why everyone must use a VPN & Password Manager!

After reading this article, most people might call me paranoid, but here is a very feasible worst-case scenario:

CrossPost: https://kantikalyan.medium.com/why-everyone-must-use-a-vpn-password-manager-9c557a186bc0

CrossPost: https://www.linkedin.com/pulse/why-everyone-must-use-vpn-password

Most of you know, I have been fighting with a group of anonymous hackers/r&aw/mafia psychopaths with very powerful equipment, with invisible microdrones capable of camera video recording, hearing, whispering, mind-reading and subliminal messaging (sleep state + whispering in ears).

After registering my own startup – ALight Technology And Services Limited, I have put significant effort into cyber-security. They might know my code, they might know some other sensitive info, but the most critical data has been locked down i.e when I launch WebVeta, where sensitive customer information would be stored, the servers would be thoroughly locked down. Over the past 1 year, whenever I think of a possible attack vector, I think about how to reduce the possibility.

Because these people have such a powerful equipment, what if they stole a web server’s private SSL key of some major website? What if they have some kind of decryption software/hardware? Now they would start packet sniffing by connecting to wireless networks and all the data submitted, session cookies would be accessible. Wireless networks locked down by mac address are also susceptible, because mac address can be spoofed.

In this scenario VPN’s would help, by encrypting packets. Most VPN software would require some kind of fee, but probably worth if you have confidential data i.e your own credentials etc…

There are few free alternatives, some with restrictions etc…

I am NOT promoting any of the following VPN vendors, nor do I have any kind of personal / business tie-ups. These are some free VPN’s some have limitations:

Proton VPN – https://protonvpn.com/free-vpn/

Urban VPN – https://www.urban-vpn.com/

Similarly, consider using password managers and MFA (Multi Factor Authentication)

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.

Categories
Azure CosmosDB Security

Some very important security tip for using CosmosDB on Azure!

CosmosDB is a very fast and efficient database in Azure, offers single digit millisecond latency.

The usual way of connecting to CosmosDB is using keys. But I would strongly suggest using RBAC roles.

Limit the network access to private networks within Azure and create private endpoints for access.

I would strongly even suggest turning off key based access completely.

Using Azure CLI

az cosmosdb update  --name [CosmosDBAccountName] --resource-group [ResourceGroupName]  --disable-key-based-metadata-write-access true

Using Powershell

Update-AzCosmosDBAccount -ResourceGroupName [ResourceGroupName] -Name [CosmosDBAccountName] -DisableKeyBasedMetadataWriteAccess true

Reference:

https://learn.microsoft.com/en-us/azure/cosmos-db/role-based-access-control

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.