Tag: Security

Importance of securing keys

Post author By Kanti Kalyan Arumilli
Post date 10 November 2023

In the past, I have written several times of powerful surveillance equipment in the hands of br*thel mafia! The equipment has video camera capabilities i.e viewing, listening, speakers – making noise / sounds / talking and even mind-reading. The equipment also has mind-reading and neural manipulation capabilities. They sometimes even enact as though helping by prompting, but in reality mind-reading / guessing i.e predicting.

Now when it comes to passwords, secure configuration keys it’s very hard to keep these away from these cyber thugs. Software should not show keys, even public keys. For example, most Cloud based connection keys, instead should be sent directly to KeyVault etc…

Even VPN software such as Wireguard. When Wireguard displays public key, it’s like anouncing “find the corresponding private key”. If they have some kind of advanced computers (probable, because they have advanced equipment), they can probably crack the key in few minutes. If the public keys are not displayed, ask them to guess. If they capture network packets, if they know the plain bytes being transmitted, they could try. Takes little extra work for them to figure out.

The software I develop at my startups – ALight Technology And Services Limited (U.K) ALight Technologies USA Inc (U.S.A) are definitely going to make the cyber thugs game harder.

We software engineers should make the work of cyber thugs harder, not easier. Those cyber thugs are like a gang of dacoits anyway.

BTW, why do I call them br*thel mafia? Because they offer women and ask me to participate in crime! Don’t know if some of the women are being blackmailed or not, but some of them seem to be sl*ts. Some women are sensitive and could have been blackmailed by n*des etc…

I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).

–

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.

Tags Security

Security

Some nice to have security features in Operating Systems

Post author By Kanti Kalyan Arumilli
Post date 2 November 2023

I think the CyberSecurity market is going to increase multi-fold, because I know the capabilities of the anonymous spies/hackers/mafia’s invisible drone equipment. They would put the blame on “five eyes” etc… But why would “five eyes” help for infiltrating their own countries? Does not make sense. I.T industry under threat by the equipment mafia/spies. Mafia = organized crime! The equipment has been mis-used for organized crime, they can be and should be considered mafia, although rogue R&AW spies. They have even stole money from bank account.

I think Operating Systems should be secure. For example, normal people don’t run servers etc… block incoming connections. Everyone don’t have printers / other laptops in the network. Remote access / admin shares are not needed. When necessary, I.T professionals know what to do.

Create secure filesystem areas for sensitive info for special apps such as VPNs etc…

Password based logins are no longer secure. Enable bio-metric or hardware keys based login and provide the ability to disable password based login. Even mobiles should do this.

Don’t show sensitive information in alerts such as SMS – the invisible drone equipments guys did several OTP thefts on several occassions, They even stole money from my own bank accounts.

Websites should not show config keys etc… in plain text. I think Azure and AWS should allow the ability to export keys directly into KeyVault or SecretsManager etc… For example some blob storage key or IAM role keys – allow specifying the name for storage and directly store.

Seriously the world of computing is under threat from the mafia psychopath’s equipment. They did steal money, they did organized crime, murder attempts, they did try to put the blame on others, they did shadow, stalk, harass, blackmail, threaten etc… Probably signature forgeries, money laundering etc…

–

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

Tags CyberSecurity, Security

Security VPN

Some interesting and important configuration settings for OpenVPN

Post author By Kanti Kalyan Arumilli
Post date 2 November 2023

Yesterday in the announcements blog, I have mentioned about – Security levels at ALight Technology And Services Limited (U.K) ALight Technologies USA Inc (U.S.A).

Over the past few months, I have been writing about CyberSecurity, VPNs etc… I am using two levels of encryption i.e outer layer uses OpenVPN and the traffic gets sent to a OpenVPN server, the second layer is based on Wireguard. I use Oracle VM Virtual Box with Ubuntu linux for accessing sensitive servers. The ubuntu virtual box uses Wireguard based VPN while the Windows based laptop uses OpenVPN.

The reference manual for OpenVPN can be accessed from: https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/

–fast-io: Experimental but apparently has speed improvement.

–mlock: Tunnel data etc… are not written to disk, might have some speed improvement.

–script-security: The security setting for allowing what types of scripts to execute.

–allow-compression (NO): Don’t use compression.

–auth: Use 256-bit or higher algorithms, I am using 512-bit.

–auth-user-pass: Client option for the GUI to prompt for username and password.

–single-session: After first connection, don’t allow more connections.

–max-clients: Maximum number of concurrent clients to allow.

–verify-client-cert: Use require

–reneg-sec: How often should the keys get changed

–tls-cert-profile: Use at least preferred

–tls-cipher: Specify list of ciphers i.e mention only strong ciphers. Suggestion: TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA

–tls-version-min: Use “1.2”

–hand-window: How long can a handshake happen.

–tcp-queue-limit: Use 4096, the default value very less and causes connection drops.

–sndbuf: 512000 for buffer size, the default values cause connection drops.

–rcvbuf: 512000 for buffer size, the default values cause connection drops.

The other interesting useful options:

txqueuelen 15000
tun-mtu 9000
mssfix 0

auth-gen-token
reneg-sec
tran-window

The following scripting options are useful:

client-connect
client-disconnect

–auth-user-pass-verify

–

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

Tags Security, VPN

Security Tailscale VPN

A review and discussion of the free tier of Tailscale-2

Post author By Kanti Kalyan Arumilli
Post date 30 October 2023

This blog post is a continuation of: https://www.alightservices.com/2023/10/30/a-review-and-discussion-of-the-free-tier-of-tailscale/

In my own startups – ALight Technology And Services Limited (U.K) ALight Technologies USA Inc (U.S.A) I do everything from end-to-end i.e coming up with ideas, analysing value proposition, deciding on features, feature prioritization, cloud architecture, technical architecture, actual development, some sanity checks, deployment with the help of some CI/CD tools based in the cloud and blog articles in the open internet. I have been evaluating and experimenting with various methods of securely accessing cloud workloads.

I have tried few more things after writing the above mentioned blog post:

MagicDNS and Serve: Definitely useful feature for quick demos or prototypes.

SSH: SSH via Tailscale, did not trigger my alerts. I have configured and developed my own monitoring and alerting system based on NIST CyberSecurity Framework. When I SSH’ed via Tailscale by advertising node by passing –ssh these did not get triggered. The reason could be because Tailscale SSH does not use port 22 and that’s why port does not need to be opened. This option did not even require the .pem or password because SSH is being done directly inside of Tailscale rather than normal port 22.

I have not tried SSH without –ssh option i.e normal ssh while connected to VPN overlay yet.

I have uninstalled Tailscale and I might make further trials later or tomorrow.

BTW in my own startups – ALight Technology And Services Limited (U.K) ALight Technologies USA Inc (U.S.A) I do everything from end-to-end i.e coming up with ideas, analysing value proposition, deciding on features, feature prioritization, cloud architecture, technical architecture, actual development, some sanity checks, deployment with the help of some CI/CD tools based in the cloud and blog articles in the open internet.

–

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

Tags Security, Tailscale, VPN

Security Tailscale VPN

A review and discussion of the free tier of Tailscale

Post author By Kanti Kalyan Arumilli
Post date 30 October 2023

Tailscale is a SaaS product offering, enabling easy VPN networks of scale on top of WireGuard. I have been using Tailscale for 2 – 3 months now and I plan to use more Tailscale features soon. This article is not a hands on guide, but more of a discussion on the features.

Someday I might upgrade to the paid plans.

Simple and straightforward installation, setup and thorough documentation.

Tailscale machines can be registered in the network, removed from the console. By default machines need to be registered every 24 hours, but if needed key expiry can be disabled.

By registering machines, the machines are registered in an overlay network and can communicate. The communications, user-access can be configured via policies. I think it’s very important to use –shields-up argument with tailscale up on client machines where we don’t want inbound connections. Considering the anonymous mafia equipment, I think there is a small loophole where a hacker might temporarily gain control a server in some scenarios – I have reported and suggested an alternative way: https://github.com/tailscale/tailscale/issues/8823

tailscale up --shields-up

VPN via exit node:

Although not the primary use-case, one of the Tailscale nodes can be configured as exit-nodes and can be used as VPN with very minimal configuration. This is one of the features, I have been using. I have a exit node in AWS in London region and I use the exit node like a VPN. The reason, I liked this feature is because, I don’t need to open any ports to the public internet or even for my own IP.

SSH:

Another useful feature, for semi-secure environments such as Development / QA could be SSH. Without opening the ports SSH can be done through Tailscale portal. I have used this feature few times.

WebHook Alerts: Webhook alerts can be used for getting notifications. I have configured Slack for alerts.

Some features, I haven’t tried yet but plan to:

Lock: Locks allow key signing from trusted internal nodes.

MagicDNS: MagicDNS allows an internal DNS. Should be useful for Dev / QA environments, internal applications etc…

Cert: Allows generating certificates based on MagicDNS i.e internal applications can be accessed securely using SSL.

Serve: Spin up a web-server. This can be done from command-line for some quick tests / validations without worrying about web server configurations in Dev / QA environments. For longer-term, I think configuring NGinx / Apache / IIS would be more useful.

SSH Session Recording: This is a paid feature but definitely useful i.e SSH sessions via Tailscale can be recorded.

Tailscale has extensive documentation and should be straightforward for most users.

–

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

Tags Security, Tailscale, VPN

Security

Securing the Cloud using multiple-layers of security

Post author By Kanti Kalyan Arumilli
Post date 6 September 2023

This blog post discusses some multi-layered security approach with several MFA based authentications.

In the current world, cyber-security has become the biggest threat! With the rise of hackers, powerful hacking equipment / techniques, even people with bare minimum knowledge of computing can become hackers.

This blog post in a certain way shows techniques to reduce the attack area. In the past, I have written few blog posts regarding cyber-security, this is in continuation of the overall concepts. Here are the blog posts:

How to get alerts for SSH / OpenVPN logins on AWS EC2 or any other debian/ubuntu based servers – ALight Technology And Services Limited (U.K) ALight Technologies USA Inc (alightservices.com)

WireGuard, OpenVPN, Pro Custodibus, TailScale – ALight Technology And Services Limited (U.K) ALight Technologies USA Inc (alightservices.com)

How to easily install OpenVPN and some easy C# code snippets for Process class – ALight Technology And Services Limited (U.K) ALight Technologies USA Inc (alightservices.com)

A method for randomizing VPN security for cloud based workloads – ALight Technology And Services Limited – ALight Technology And Services Limited (U.K) ALight Technologies USA Inc (alightservices.com)

The over-all concept is about using one-time use VPN profiles with time limits on the validity of the connection. i.e Once I create and connect to a VPN server, if anyone ever gets hold of the VPN profile and attempts to connect, the connection should not be allowed and based on organizations policy, breach alert should be sent / any other mitigation action should be performed.

As of now, ALight Technology And Services Limited does not have any other employees but, based on employee permissions and categories, the VPN’s outbound IP address should be segregated i.e x.x.x.x for accessing accessing production environments, y.y.y.y for different set of resources etc…

By doing this type of segregation, it becomes easy to segregate cloud workloads on top of IAM policies in AWS / RBAC in Azure. Moreover the policies can be restricted.

This being the over-all policy, I am going to implement such a implementation soon. In the anouncements blog – ALight Technology And Services Limited: Internal maintenance, server migration (alightservices.com), I have mentioned about moving most AWS cloud workloads into Azure for easier management reasons, because the biggest workload of ALight Technology And Services Limited – WebVeta is going to be hosted on Azure. Because I am attempting Azure Certified Developer Associate certification on September 15th (Thanks Microsoft for the free exam voucher, gratitude). I am planning to get the Server migration completed by September 20th. The planned one-time use VPN profiles implementation + moving developer workload into the cloud by September 25th – i.e After this implementation, the source code, development, visual studio would be in the cloud. My laptop would not have anything critical. I am considering doing a webcast soon and would cover the following topics:

Using YubiKey for logging into laptop – not too useful, because this step can be bypassed and any other laptop can be used.
Setting up one-time use OpenVPN profile secured by a random password with pre-configured validity – One of the critical step.
Biometric Authentication MFA for accessing AWS for getting the OpenVPN profile.
Accessing internal servers i.e RDP for Windows / SSH for Linux and requiring YubiKey – Another critical step – TODO i.e I still need to implement this step. / Alternatively, having a different kind of MFA requirement prior to accessing RDP for Windows or SSH for Linux.

By doing the above set of activities, the following multi-layered security can be implemented:

MFA for accessing VPN profile.
One-time use VPN profile with pre-configured validity.
Random and different password for each profile.
Alerts / Mitigations for any breach / second attempts – sometimes could be false alarm i.e network reasons.
Requiring another layer of MFA for accessing the VPN profile.
Another layer of MFA for accessing servers.

Now, here are some No-No’s:

Don’t use the same type of MFA for all the stages, use different form of MFA or different MFA device for each stage i.e lost phone / stolen one-time codes / keys would not affect. If for example, if you are using same totp generator / normal yubikey / mobile phone for SMS, losing the key or phone can cause a breach. But having different MFA at each stage would minimise the problem.

Irrespective of how many layers of security or how much cyber security measures, implement logging, monitoring, metrics, alerting and do review the logs, monitor metrics for abnormalities. Have a plan of action i.e what to monitor, what are considered normal, what are considered abnormal, how to detect and attack, what needs to be done during an attack for mitigation, what needs to be done for reversing the damage, how to identify the damage, root-cause analysis, future mitigation, communication plan based on what has happened.

I am hoping this blog post and some of my previous blog posts, can help small SME’s and small startups like mine.

–

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

Tags Security

.Net C# Cryptography Security

Symmetric encryption using TripleDES in C#

Post author By Kanti Kalyan Arumilli
Post date 15 August 2023

Symmetric encryption is an encryption technique where the same set of keys are used for encryption and decryption. Whereas, Asymmetric encryption uses different keys i.e public key for encryption and associated private key for decryption.

TripleDES is an algorithm for implementing symmetric encryption.

TripleDES uses Key and IV.

public string EncryptTripleDES(string plainText, byte[] Key, byte[] IV)
{
    byte[] encrypted;
    using (TripleDESCryptoServiceProvider tdes = new TripleDESCryptoServiceProvider())
    {
        ICryptoTransform encryptor = tdes.CreateEncryptor(Key, IV);
        using (MemoryStream ms = new MemoryStream())
        {
            using (CryptoStream cs = new CryptoStream(ms, encryptor, CryptoStreamMode.Write))
            {
                using (StreamWriter sw = new StreamWriter(cs))
                    sw.Write(plainText);
                encrypted = ms.ToArray();
            }
        }
    }
    return Convert.ToBase64String(encrypted);
}

The above code snippet is for encryption.

public string DecryptTripleDES(string cipherText, byte[] Key, byte[] IV)
{
    string plaintext = null;
    var cipherBytes = Convert.FromBase64String(cipherText);
    using (TripleDESCryptoServiceProvider tdes = new TripleDESCryptoServiceProvider())
    {
        ICryptoTransform decryptor = tdes.CreateDecryptor(Key, IV);
        using (MemoryStream ms = new MemoryStream(cipherBytes))
        {
            using (CryptoStream cs = new CryptoStream(ms, decryptor, CryptoStreamMode.Read))
            {
                using (StreamReader reader = new StreamReader(cs))
                    plaintext = reader.ReadToEnd();
            }
        }
    }
    return plaintext;
}

The above code snippet is for Decryption.

My open-source tool LightKeysTransfer uses TripleDES and the accompanying source code can be found at:

https://github.com/ALightTechnologyAndServicesLimited/LightKeysTransfer

The encryption/decryption related code can be found at:

https://github.com/ALightTechnologyAndServicesLimited/LightKeysTransfer/blob/main/LightKeysTransfer/LightKeysTransfer/CryptHelper.cs

–

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

Tags .Net, C#, Security

.Net C# Cryptography Security

An overview of RSA for asymmetric encryption, decryption using C#

Post author By Kanti Kalyan Arumilli
Post date 14 August 2023

The RSACryptoServiceProvider in C# provides way for asymmetric encryption and decryption. The encryption happens using public key. The encrypted data can be decrypted only by the associated private key.

The implementation supports keys of sizes varying from 512 bits to 16,384 bits. The larger the key size, the more secure but slower. Depending on the size of the key, the amount of data that can be encrypted would be different.

The public key can be exported and passed for encrypting data. The private key needs to be properly secured.

My open source project LightKeysTransfer uses RSA for encryption and decryption. CryptHelper.cs has the code implementation.

var rsa = RSACryptoServiceProvider.Create(2048);
var rsa2 = RSACryptoServiceProvider.Create(2048);

// code for exporting the public key
var publicKey = rsa.ToXmlString(false);

// code for importing the public key on a different instance
rsa2.FromXmlString(publicKey);

// code for getting bytes from string, there are several other ways of converting text into bytes
var plainBytes = UTF8Encoding.UTF8.GetBytes("Hello!");

// code for encrypting 
var encryptedBytes = rsa2.Encrypt(plainBytes, RSAEncryptionPadding.OaepSHA512);

// code for decrypting
var decryptedBytes = rsa.Decrypt(encryptedBytes, RSAEncryptionPadding.OaepSHA512);

In a different blog post in the next few days, I would post about TripleDES, I am implementing a combination of TripleDES and RSA for encrypting and decrypting slightly larger data. Larger data cannot be encrypted using RSA!

–

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

Tags .Net, C#, Cryptography, Security

Security

How to get alerts for SSH / OpenVPN logins on AWS EC2 or any other debian/ubuntu based servers

Post author By Kanti Kalyan Arumilli
Post date 13 August 2023

This blog post is specifically for AWS EC2 but the same concepts can be used in any Ubuntu based environments.

This is part of my personal effort in enhancing the cyber-security of my own startup – ALight Technology And Services Limited and ALight Technologies USA Inc. I am using multi-cloud environment for additional security. I have workloads in Azure, AWS! Azure has more important workloads. I am trying to come up with a plan where if an attacker hacks one of the accounts, the critical workload in Azure should not be accessible. This is pretty much like creating multiple layers of security. In other words this is like multi-MFA accounts security with various multi-factor authentication methods.

At least during locked-down period, the multi-MFA accounts security level would enhance the security. During maintenance window this level of security wouldn’t be possible and I am planning some monitoring, alerts and automatic mitigations if abnormal activity gets detected during maintenance windows based on logs, metrics. And even automatic terminations for any higher abnormal activity. Almost like a self-developed, zero trust system, intrusion detection and prevention system.

Here are several related blog posts:

WireGuard, OpenVPN, Pro Custodibus, TailScale

How to easily install OpenVPN and some easy C# code snippets for Process class

A method for randomizing VPN security for cloud based workloads – ALight Technology And Services Limited

The spy-attackers-toes (I think extremist division of R&AW, spying organization of my own country, India) = terrorist odour can utmost do screenshots but cannot directly access the servers. This is one man’s effort against an army of anonymous spy-hackers. Shame on the bribery/extortion/ransom takers. sugarified word – taking – harsh reality = extortion/ransom, instead they could have opted to asking for help.

In AWS configure a SNS topic to send alerts to emails / SMS to phone. Add the emails and phone numbers, subscribe and validate the emails and phones.

Create a role for use with EC2 instances and give permission for publish to the SNS topic.

When launching the SNS use associate the IAM role with permission for publishing.

Install aws cli.

> sudo apt install awscli

Create a script for example / var/LoginAlert/LoginAlert.sh

#!/bin/bash
aws sns publish --topic-arn <ARN_OF_SNS_TOPIC> --message "User Logged In!" --region <AWS_REGION>
exit 0

Replace the ARN and Region with your own ARN and Region of the SNS topic.

Instead of “aws sns publish”, we can use any other executable such as writing some customcode and writing into some database for audit purposes, send alert via various other methods such as Slack etc… Or may be even a curl request to Slack.

https://api.slack.com/tutorials/tracks/posting-messages-with-curl

Give execute permissions on the script

sudo chmod +x /var/LoginAlert/LoginAlert.sh

Edit the file /etc/profile

sudo nano /etc/profile

Add the following code:

/var/LoginAlert/LoginAlert.sh

Now, reboot and re-login, you should have received an alert.

Now for OpenVPN, we can use the same script. Edit server.conf usually under /etc/openvpn or /etc/openvpn/server. Add the following lines:

client-connect "/var/LoginAlert/LoginAlert.sh"
script-security 2

Now, try connecting to your VPN instance, you should receive an alert.

–

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

Tags CyberSecurity, Security

AWS Azure Security VPN

WireGuard, OpenVPN, Pro Custodibus, TailScale

Post author By Kanti Kalyan Arumilli
Post date 9 August 2023

In my startup – ALight Technology And Services Limited, I don’t have any employees. I do everything myself. I know .Net web development. These other activities are something new for me.

Most of you know, I have been looking for secure, efficient way of accessing servers hosted in my AWS and Azure accounts. This effort is part of productionizing WebVeta and securing the servers.

I have written some blog articles about OpenVPN in the past and how-to automate changing keys using some C# code at random for higher security.

This blog post is about few other alternatives and some tips.

WireGuard is another free VPN software! But the problem 256-bit key. i.e less secure but high throughput. One possible way is by rotating the key on a timely basis. There is another software known as Pro Custodibus, that helps in rotating keys and managing keys + MFA!

OpenVPN is very highly configurable and can support 2048 bit keys and above.

How to easily install OpenVPN and some easy C# code snippets for Process class

The above blog post talks about how to install and use some C# code for re-generating server and client side keys. The above blog post allows keys + password protection for the ovpn file i.e 2 layers of higher security.

OpenVPN has the following interesting options for further security / monitoring and alerting:

--ipchange cmd
--route-up cmd
--route-pre-down cmd
--ping-exit n
--up cmd
--down cmd
--down-pre
--up-restart
--client-connect
--client-disconnect
--auth-user-pass-verify cmd method
--auth-gen-token [lifetime]
--single-session

Using some of these options and commands, alerts can be generated by either using scripts or programs. I would use C#, but any programming language or even shell scripts can be used.

Using –auth-user-pass-verify 3rd level of security can be added i.e an additional username + password security can be added.

–single-session allows one and only one session, no session re-negotiation – Probably perfect for my scenario.

TailScale is a very nice VPN management software and has a very generous free-tier of upto 100 devices and 3 users. With a little bit of custom programming and using TailScale the security can be increased and can be easily managed. However, one of the biggest problems I saw was registering servers. TailGate displays a URL in plain-text, the URL needs to be entered in browser and authenticated for registering a server in TailGate. If anyone knows the URL and if they authenticate before you, they can try to take-over the server and of-course you can immediately terminate server etc…

I think re-gistering servers should be 2 way i.e

In the website allow copying some random GUID (don’t show the GUID in plain text).
In the server after tailscale up, prompt for the GUID, treat the GUID like password, allow pasting but don’t echo the GUID.
Generate another unique GUID on the server and display.
User copies the server-side GUID and pastes in the website.
Now pair the servers

Even if someone somehow steals the first GUID and pastes in their server, the second GUID generated by their server would be different and can’t be paired.

If someone steals the second guid, their browser-side first guid associated with their account would be different and can’t be paired.

Meanwhile TailScale pairing can be done little securely using my opensource tool – https://github.com/ALightTechnologyAndServicesLimited/LightKeysTransfer – This feature to be implemented, I would make an announcement when the feature gets implemented.

The feature would be very simple, instead of displaying the URL, the URL would be encrypted, use the client-mode part of tool for decrypting, copy and paste in small-sized browser window and approve.

This feature request has been submitted – https://github.com/tailscale/tailscale/issues/8823

–

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

Tags AWS, Azure, CyberSecurity, Security, VPN

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.