I had a need to generate random passwords and / keys and update various config files. For example, keys and passwords used by log ingesting utilities such as FileBeat, PromTail, MetricBeat etc…
In earlier blog posts, I have mentioned, that at this point log ingestion, retention and major alerts implementation is complete. So, obviously the next part is securing the keys.
I know the hacker spies – India’s psychopath R&AW spies can and are seeing any plain-text items on screen and if I am not wrong, they might have even hacked into my accounts several times. Yes, they say they are investigation teams etc… bull-shit but in reality they are corrupted and are the criminals i.e greedy investigators / spies who did crime and are trying to get away from crime.
Anyway, because I know how the “prying eyes” equipment works, I need to defend myself from the hacker spies as much as possible. For more info about this scam: https://www.simplepro.site.
Here is a small C# code snippet for reading from console without echoing back:
Now everyone knows how to do open a file, read content and replace content. A simple program can be developed that would take the path of config file, old value, new value and replace.
i.e for example during test, alpha modes if a key is “KEY” and then later if you use a random password generator that would generate password and copy into memory, this type of small tool can help with replacing “KEY” with the “RAND0M P@$$W0rd”.
Some code sample:
Console.WriteLine("Enter filepath:");
var fileName = Console.ReadLine();
var sr = new StreamReader(fileName);
var content = sr.ReadToEnd();
sr.Close();
Console.WriteLine("Enter Search Phrase:");
var searchPhrase = Console.ReadLine();
var matchedIndex = content.IndexOf(searchPhrase);
if(matchedIndex >= 0)
{
Console.WriteLine("Match found.");
Console.WriteLine("Enter replacement text:");
var replacementText = GetSensitiveText();
var sw = new StreamWriter(fileName);
sw.Write(content.Replace(searchPhrase, replacementText));
sw.Flush();
sw.Close();
}
We prompt for the path to the config file, prompt for the search text. If the search text is found, we prompt for the secret i.e the replace text. But, we don’t echo the new sensitive info to the Console. Then the search text is replaced with new sensitive info and then we write the contents back to the file.
Centralized log management is very important for any tech company of any size. For larger companies, entire company logs need not be centralized but can be segmented based on department or product etc…
ALight Technology And Services Limited is both product and service based company. Currently offers two completely free products – SimplePass and PodDB. With SimplePass, I am not worried much because except for the code there is no data on the server and obviously no customer specific data. With PodDB the risk is slightly higher because there is data but no customer specific data. As of now the AWS account, servers are very highly secured with immediate alerts on login into AWS console or servers, new EC2 instances, instance terminations etc… With the infrastructure, access to infrastructure being secured, the next step is external threats and being able to respond to external threats. These are very important steps prior to developing any products that would possibly contain customer data. What if someone tries to hack by sending malicious payload or DOS (Denial of Service) or DDOS (Distributed Denial of Service)? For identifying, mitigating, preventing such things it’s very important to have proper log management techniques, monitoring of metrics, proper alerts and proper action plan / business continuity plan when such incidents occur. Even if such a thing happened, it’s very important to have logs so that computer forensics can be performed. No company is going to offer free products for ever without generating revenue, in a similar way ALight Technology And Services Limited does have plans of developing revenue generating products or offer services such as architecting, development, hosting etc… Compared with modern days powerful hacking equipment of the anonymous group that calls them the “eyes” (don’t get confused with the intelligence “five eyes”, as a matter of fact the anonymous “eyes” are targeting the five countries that formed the “five eyes” and any whistleblowers like me in this context – I am the whistleblower (but not R&AW) of India’s R&AW equipment capabilities and the atrocities that have been done by the R&AW spies against me), the current state of information security standards are much below.
I have looked into 3 solutions and each of these solutions had strengths and benefits.
What I was looking for:
For example – PodDB has web server logs (NGinx), ASP.Net Core web application logs, and a bunch more of logs from microservice that interacts with the database, microservice that writes some trending data, microservices that queries solr etc… So my log sources are multiple and I want to aggregate all of these along with other logs such as syslog, mariadb audit log etc…
AWS Cloudwatch:
CloudWatch allows easy ingestion, very high availability, metrics, alarms etc… 5GB per month of log ingestion for free. However, live tailing of the logs i.e being able to see logs as they soon as they are ingested is a bit problematic. Even querying / viewing across log groups is a bit problematic. The strength is the definable retention period for each log group. Once ingested the logs cannot be modified, so definitely a great solution if storing logs for compliance reasons. AWS should consider introducing data storage tiers like S3 data storage i.e lifecycle transition – hot logs can be queried and definable period, then lifecycle transition and logs would be stored for archival purpose for some period and then deleted.
2. ELK Stack:
ELK stack consists of ElasticSearch, LogStash and Kibana. ElasticSearch for full-text search capabilities, LogStash for log ingestion, KIbana for visualization. This review is about the self-hosted version. The ELK stack has plenty of features and very easy management if the application and all of it’s components can be properly configured. Built-in support for logs, live tailing of logs, metrics etc… Easier management using ElasticAgents i.e ElasticAgents can be installed on multiple machines and what data should be ingested by each agent can be controlled by the web interface. However, ELK stack seemed a bit heavy in computing resource consumption and for whatever reason, LogStash crashed several times and the system crashed i.e the EC2 instance just hanged, couldn’t even restart. ELK Stack supports, hot and cold log storages i.e the past 15 – 30 days of logs can be kept in the hot storage and the older logs can be automatically moved into cold tier i.e not queried frequently but are kept for various reasons.
3. Graylog:
This is about self hosted version of Graylog. Graylog focuses only on log management. Very easy to setup and ingest logs. Easy querying of logs. No support for metrics. Graylog allows creating snapshots of older data which can be stored elsewhere, restored and searched on a necessity basis.
4. Grafana
This is about the free Grafana account. Grafana offers very generic 50GB log ingestion per month. Logs can be easily ingested into Loki and viewed from Grafana. Metrics can be ingested into Graphite and viewed. Very easy to setup alerts. I have not tried yet but the free tier has 50GB of traces ingestion per month. One of the very best features I liked about Grafana is easy way of tagging logs. If log sources are properly tagged, combining and viewing multiple log sources is very very easy.
Thank you Grafana for such a generous free tier and such a great product.
There seems to be no control of retention period. Grafana paid subscription has control of retention period. The paid version starts at $8 per month. I do have plans about signing up for paid account just before launching commercial products specifically for planning retention i.e either Grafana can store the older logs for few extra months on my behalf or if they can provide a solution to upload into S3 glacier and of course when needed being able to restore from S3 Glacier and being able to search, because storing old logs in S3 Glacier and if there is no way of restoring and searching then the entire purpose of storing old logs would not make sense.
In my continued pursuit of strengthening the security infrastructure at my own startup – ALight Technology And Services Limited, I have written few blog articles in the past regarding securing web applications, importance of audit, logs – part of the NIST Cyber Security Framework. This blog post talks about some things I have done on AWS infrastructure. While running a company with no other employees and while being the target of state-sponsored / state-trained hackers, I ended up learning a lot and now I have dabbled in pretty much everything in computing (expert at development, learning system administration, infosec etc… as part of running my own startup).
I created a base Ubuntu image by enabling ufw, installed auditd, installed cloudwatch log agent, closing unnecessary ports, some custom alerters as soon as a SSH login happens etc… I call this AMI the golden AMI. I also update the golden AMI every few months. The advantage of using a golden AMI like this is any EC2 instance you would launch would have these in place.
I am using ELK stack along with Cloudwatch logs and S3 for logs. ELK stack for log analysis i.e logs are stored for a shorter period, Cloudwatch logs for various other reasons, (can’t disclose) and finally S3 glacier for longer term retention.
With the above mentioned setup, if an incident happens, all the necessary logs would in place for analysis.
I wanted to give a quick introduction to Cloudwatch log agent, AuditD as part of this blog post.
People who have vast experience in I.T know that security is of utmost importance and needs to be implemented in layers. I had a need to secure my Kibana implementation and I want to thwart hackers. I had two options:
Use VPN
Secure the website
Now, the problem very few VPN’s like Cisco AnyConnect support biometric authentication, ElasticSearch/Kibana’s security options are very less in the self-hosted version.
Thanks to Apache web server for the resuce. Apache web server has this plugin known as mod_auth_oidc, this plugin can be used at the web server level i.e the web server takes care of authorizing users. Kibana is hosted at https://kibana.alightservices.com.
I think this is a very great feature and everyone must use wherever possible for public-facing web applications that would be consumed by OAUTH2 or OpenID.
Moreover this plugin can easily enable SSO (SingleSignOn) features and all of this with just some basic configuration.
I have mentioned in previous blog articles about centralized logging and monitoring. I have experimented with various metrics collection tools and log tools. Currently all the logs are being ingested i.e collected but no proper analysis.
I have read about ELK stack and based on the articles and the availability of plugins, seems like ELK stack is the perfect choice.
Over the next few weeks I would be implementing ELK stack and would definitely share some knowledge.
In the past I have mentioned about the NIST Cyber Security Framework and as part of implementing NIST Cyber Security Framework and improving the security at ALight Technology And Services Limited, additional logging, monitoring and alerting systems are being implemented i.e ALight Technology And Services Limited’s stance when it comes to Cyber Security is hardened security is the top most priority before any kind of consumer / customer data is stored. This helps ALight Technology And Services Limited’s long term vision of providing several B2B, B2C free, paid and freemium products.
I wanted to do a live coding session for a little security utility / tool but ended up showing several things, the need for such a tool and talked about the sophisticated spies / hackers equipment. I will definitely do some live coding and open source the tool.
In the past I have mentioned about having proper MFA enabled VPN in some of my Youtube videos on ALight Technology And Service’s official Youtube channel (https://www.youtube.com/@alighttechnologyandservicesltd), I have come across a free VPN known as Pritunl, and Pritunl has SSO support and YubiKey support as per the documentation located here. However there is a glaring security issue in the setup process. The passwords and keys are generated and shown in plain text. This is a very big problem. So, I thought I would create a set of two tools that would do the following:
Tool-1 (on the server):
Accepts a Key, IV i.e prompts for Key and IV, but when these are entered, the tool would not display the values i.e does not output the key and IV entered on the screen (more like prompting for a password).
Prompts for a command to run
Executes the command, captures the standard output and standard input.
If there is a error – displays on the screen
If no error, encrypts the standard output and displays on screen.
Tool-2 (on the clientside – on the laptop)
Generate a IV, Key for symmetric encryption.
Copy the Key to clipboard when required (button click for Windows application or some kind of console press key)
Copy the IV to clipboard when required
Accept a block of string, decrypt and copy the plaintext into clipboard.
Whenever anything is copied into clipboard, automatically clear clipboard after a configurable time such as 10 or 20 seconds.
With these 2 tools, I can generate a new Key, IV pair, launch the server tool, input the key, IV. Then I can run some command, get the keys or passwords generated by commands encrypted and displayed. I can copy the outputted value on server into the desktop app, then decrypt and use wherever I want.
These are tools not necessary everyday but definitely necessary, especially if being targeted by hackers, spies and ransom asking goons (aka takers / all). I am considering open sourcing the code for these 2 tools. This code can also serve as an introduction to symmetric encryption in C#. The code would also have some usage of System.Diagnostics.Process class. I might even do a live coding session, shouldn’t take longer than 15 – 20 minutes. If I do a live coding session, I would explain the concepts.
On December 22nd at 17:45 India Standard Time (12:15 GMT / 07:15 EST), I am doing a live video on showing the security. That’s why they were not able to hack my WordPress although they had a very powerful spying / hacking equipment.
YubiKey Bio:
I have Yubikey Bio, it’s a biometric authentication USB device. Some websites support multi-factor authentication with hardware devices such as Yubikey. The difference between normal hardware keys and Yubikey Bio is the biometric authentication. With normal hardware keys anyone with access to the USB device can login, but with Yubikey Bio – biometric authentication happens i.e Yubikey Bio verifies fingerprint.
Nextend Social Login Plugin for WordPress:
Nextend Social Login Plugin – This plugin allows me to login via Google. There is a little setup in GCP console. But ultimately allows me to use Google login. I have configured in such a way that only admin@alightservices.com is allowed to login using Google authentication. I have secured my Google login to use Yubikey Bio.
Duo Two-Factor Authentication:
Duo Two-Factor Authentication allows further securing the wordpress installation by using Yubikey Bio. There is a little bit of configuration to be done.
In this setup I first need to login into my Google account – admin@alightservices.com, then I am prompted for Biometric authentication. Then I login into wordpress and once again I am prompted for biometric authentication. This way no one else can login into my WordPress account.
By reviewing the logs, there have been several thousand login attempts but all of those have been thwarted with this setup. i.e even with proper password, they can get to the MFA screen but not any further.
India’s R&AW spies have a very powerful spying / hacking equipment. I think it might be invisible drone with very powerful capabilities such as recording video, audio, speakers used for whispering and even mind reading capabilities. With such a powerful hacking equipment, normal usernames and passwords are obsolete. The list of hackers/impersonators/identity thieves might include: erra surnamed people – diwakar / karan / kamalakar / karunkar / erra sowmya / erra sowjanya / zinnabathuni sowjanya / thota veera / uttam / bojja srinivas / mukesh golla / bandhavi / female identity thieves who claim to have my first name – Kanti and their helper pimp Kalyan’s (I am Kanti Kalyan Arumilli – those escorts and pimps tried to break my identity). Some of them have multiple aliases and multiple surnamed virtual identities.
As part of implementing NIST Cyber Security Framework at ALight Technology And Services Limited, one of the important thing to audit / log was database server. I am currently ingesting some logs into CloudWatch. In a blog post / youtube video in the future, I would show how to ingest logs into CloudWatch.
As a one person I do multiple things, now, I digged into some DBA work 🙂
This blog post is about writing audit log for MariaDB. In this blog post MariaDB Audit Plugin would be enabled and configured.
Update conf file, usually /etc/mysql/mariadb.cnf on Ubuntu, but could be different. Add the following lines under [mysqld]:
[mariadb]
plugin_load_add = server_audit
server_audit=FORCE_PLUS_PERMANENT
server_audit_file_path=/var/log/mysql/mariadb-audit.log # path to the audit log
server_audit_logging=ON
server_audit_events = 'CONNECT,QUERY,TABLE'
server_audit_file_rotate_size=1000000 # in bytes
server_audit_file_rotations=10
That’s all. The variables are pretty much self-explanatory. There are few more variables that can be used. Here is a link explaining the variables: Audit Plugin Options.
plugin_load_add – loads the plugin.
server_audit – we want the plugin to be permanently activated.
server_audit_file_path – Path to the file.
server_audit_logging – ON – we want the logging to happen
server_audit_events – We are logging connection requests, queries including failed queries and the affected tables.
server_audit_file_rotate_size – Max file for log before generating new file.
server_audit_file_rotations – Number of older files to hold before deleting.
There is an option for writing into syslog, by settingserver_audit_logging = ‘syslog’ but that’s beyond the scope of current blog post and I would prefer having a seperate file instead of getting sql log mixed into syslog – Personal preference.
This blog post is about some monitoring and alerting tips for AWS workloads.
AWS Console Logins – Root or IAM user
SSH into an EC2 instance
The above mentioned are considered primary. In addition the following monitoring are necessary:
3. What actions were performed by users and/or AWS such as launching EC2 instances (manual or autoscaling) or configuring Route53 or Security Groups etc…
4. Web logs, Load Balancer logs, Cloudfront logs in rare cases of DDOS attacks by the baddies.
5. Application logs
6. Database logs
7. System logs
In the next few weeks, I would be writing or even live videos / tutorials on how to monitor and alert for 1, 2 and 3. Some of these are based on using existing systems and in some cases, I would show manual and programmatic (C# preferred language of choice) approaches.
I would also share some blog posts on how to ingest logs into AWS Cloudwatch (5 GB ingestion free and some other costs) and Grafana (50GB ingestion free), discuss advantages and disadvantages of both.
As part of implementing NIST cyber security framework at ALight Technology And Services Limited, I am implementing these. I like sharing my knowledge with others as I come across new things, learn new things, even existing knowledge when appropriate, sometimes a blend of existing knowledge and new things.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-advertisement
1 year
Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
