KAK Labs

LLM Tool Recommendations with Better Privacy and Security

Sun, 02 Feb 2025 11:54:00 +0700

Recently, I’ve been exploring security Large Language Models (LLMs) and how to run Large Language Models (LLMs) directly on personal devices. I prioritized tools with end-to-end encryption, offline functionality, Vim support, and ease of installation.

Below are my top recommendations, which I will update regularly.

Disclaimer: Local LLMs may require more hardware resources.

AI Chat Bot

LM Studio
- Graphical User Interface (GUI) based chat bot
- Run locally
- Free and Open Source
- Supports MacOS, Linux, and Windows
Ollama
- Command Line Interface (CLI) based chat bot
- Run locally
- Free and Open Source
- Supports MacOS, Linux, and Windows

Coding Assistant

llama.vim
- Vim & Neovim plugin for LLM-assisted code/text completion
- Run locally
- Free and Open Source
Codeium
- Support VSCode, Vim, and Neovim
- Free plan available
- SOC 2 Type 2 Compliant
Cursor
- Support VSCode
- No support Vim and Neovim
- Free plan available
- SOC 2 Type 2 Compliant
Qodo
- Support VSCode
- No support Vim and Neovim
- Free plan available
- SOC 2 Type 2 Compliant

KAK Labs Newsletter #7 – Deepening My Application Security Journey

Mon, 27 Jan 2025 08:19:00 +0700

Since transitioning into the security field, I’ve specialized in Application Security. Moving forward, you can expect even more security-focused insights and analyses from my blog.

From The World

Useful built-in macOS command-line utilities

macOS comes with a lot of built-in utilities. Here’s a list of some that I find interesting.

What I Wish Someone Told Me About Postgres

Interesting tips for PostgreSQL.

Latency Comparison Numbers for Rails

A must-read for every Ruby on Rails developer: latency numbers in one table, from local variable access and React route to Elasticsearch queries and Largest Contentful Paint.

Rails Is Better Low Code Than Low Code

Rails is better low code than low code.

Rails for Everything

Rails is not dead; It’s better than ever. Try using it to make something new this year.

Recent Blog Posts

PostgreSQL Index Usage Monitoring

Having too many unused or underused indexes on a table can slow down write and update operations in your PostgreSQL database, making it crucial to regularly identify and manage them for optimal performance. Read more.

C# DbContext ServiceLifeTime

My note about C Sharp ServiceLifeTime.

Subdomain Hijacking

My dormant subdomain was recently hijacked, redirecting it to a online gamble registration page.

Tutorial - “su username vs su - username” - A Security Perspective

The main difference between su username and su - username lies in the environment variables that are loaded when switching to the specified user. Read more.

Envelope Encryption

Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key.

AWS Secrets Manager

Explanation about AWS Secrets Manager with example code.

DevSecOps

My Notes about DevSecOps.

Is Getting AWS Solutions Architect Associate Certification Worth It?

If you are a full-time Software Engineer, there’s no strong need to pursue this certification. Read more.

How to Defend Against Brute-Force and DoS Attacks with Fail2ban, Nginx limit_req, and iptables

In this tutorial, I’ll explain how to protect your public-facing Linux server and Nginx web server from common threats, including brute-force and DoS attacks.

How to Defend Against Brute-Force and DoS Attacks with Fail2ban, Nginx limit_req, and iptables

Sat, 02 Nov 2024 06:51:00 +0700

In this tutorial, I’ll explain how to protect your public-facing Linux server and Nginx web server from common threats, including brute-force and DoS attacks.

Servers exposed to the internet often face these types of attacks, which can disrupt service and compromise security.

These attacks can seriously disrupt a server’s performance and security. By implementing defense in depth, protection mechanism like Fail2ban, Nginx limit_req, and iptables are so important.

What is Brute-Force Attack and Denial-of-Service Attack?

Brute-Force Attack

This is when an attacker tries to guess a user’s password or other sensitive information by trying many different combinations very quickly. It’s like repeatedly trying different keys to unlock a door until one works. If successful, they can access private areas of your server.

Denial-of-Service (DoS) Attack

In a DoS attack, the attacker tries to overwhelm a server by flooding it with requests. A DoS attack can make your server slow or even crash, preventing real users from accessing it

Fail2ban

Fail2Ban is an intrusion prevention software framework. Written in the Python programming language, it is designed to prevent brute-force attacks.

How to Install fail2ban on Debian / Ubuntu

sudo apt install fail2ban

How to Setup fail2ban

After installing fail2ban, the next steps involve configuring it to protect your server effectively. Here’s how to set it up and customize it for maximum security:

1. Configure the Default Jail Settings

The main configuration file is located at /etc/fail2ban/jail.conf, but it’s better practice to override settings in /etc/fail2ban/jail.local to avoid overwriting when updating Fail2ban. Create or edit the jail.local file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Common parameters to configure:

bantime: Duration in seconds an IP is banned. Default value: 600 (600 seconds or 10 minutes)
findtime: Time window for considering repeated failed attempts. Default value: 600 (600 seconds or 10 minutes)
maxretry: Number of failed attempts before a ban. Default value: 5

I personally prefer to use these default values.

2. Enable and Customize Jails for SSH Protection

In the jail.local file, find the [sshd] section to enable SSH protection. By default, SSH protection is enabled for Debian and Ubuntu, in this case I just want to make it explicit with enabled = true.

[sshd]
enabled = true

# The remaining configurations, I prefer to use default values
...

Adjust the parameters as needed for your specific security policy.

3. Enable nginx-limit-req and nginx-botsearch Jails

Fail2ban can monitor other services beyond SSH. Some additional common jails:

[nginx-limit-req]: This jail works by identifying IPs that exceed a request threshold within a given time window, effectively catching high-frequency requests typical of DoS attacks. Fail2ban will then ban these IPs temporarily, minimizing the impact of the flood.
[nginx-botsearch]: This jail helps by identifying common malicious patterns, such as bots attempting to access sensitive or admin paths repeatedly. Fail2ban will block these IPs automatically, reducing the need for manual intervention with iptables.

To enable these, make sure they’re set to enabled = true in the jail.local file.

[nginx-limit-req]
enabled = true

# The remaining configurations, I prefer to use default values
...

[nginx-botsearch]
enabled = true

# The remaining configurations, I prefer to use default values
...

4. Restart Fail2ban and Verify Configuration:

After editing the configuration, restart Fail2ban to apply the changes:

sudo systemctl restart fail2ban

Check the status to confirm that it’s running and protecting the desired services:

sudo fail2ban-client status

You should see a list of enabled jails, each monitoring the specified service logs.

5. Test Fail2ban Functionality:

Simulate a failed login attempt to see if Fail2ban blocks the IP after repeated attempts (you can try logging in with an incorrect SSH password multiple times). After reaching the maxretry limit, Fail2ban should ban the IP.

6. View Active Bans and Unban IPs if Necessary:

To see currently banned IPs:

sudo fail2ban-client status sshd

To unban an IP, use:

sudo fail2ban-client set sshd unbanip <IP_ADDRESS>

Fail2ban will now be actively monitoring and banning IPs based on the rules you configured, helping secure your server against brute-force and other common unauthorized access attempts.

Nginx limit_req

The Nginx ngx_http_limit_req_module module (0.7.21) is used to limit the request processing rate per a defined key, in particular, the processing rate of requests coming from a single IP address. The limitation is done using the “leaky bucket” method.

http {
    limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;

    ...

    server {

        ...

        location / {
            # delay up to 2s before processing
            limit_req zone=one burst=5 delay=2;
        }

Nginx limit_req Nodelay

The nodelay setting in Nginx’s limit_req directive can significantly affect how requests are throttled. Here’s a breakdown to help decide whether or not to use nodelay:

What `nodelay` Does

Without nodelay (the default setting), Nginx will queue excess requests and serve them at the rate specified in limit_req_zone. This works well for spreading out requests rather than dropping them immediately.
With nodelay, Nginx immediately rejects requests that exceed the limit, without queuing. This makes it more strict, immediately responding with a 503 (Service Unavailable) error if the limit is reached.

When to Use `nodelay`

Consider enabling nodelay if:

You’re dealing with high traffic or frequent burst attacks and want immediate rejection to conserve server resources.
You have endpoints where latency is critical, and you prefer dropping excess requests rather than queuing them (e.g., API endpoints with strict rate limits).

When Not to Use `nodelay`

Keep nodelay disabled (default) if:

You want to give legitimate users a chance to access the site, even under load.
Your server can handle the request queue, and you’d rather not drop requests unless absolutely necessary (e.g., user-facing sites where some waiting is acceptable).

Example Configuration

If you decide to use nodelay, here’s how to apply it:

limit_req_zone $binary_remote_addr zone=one:10m rate=5r/s;

server {
    location /api/ {
        limit_req zone=one burst=10 nodelay;
    }
}

Simulate Flood to Web Server

You can simulate a request flood by using ab or ApacheBench:

# Install ab
sudo apt install apache2-utils

# Run ab
# -n: Total number of requests to perform.
# -c: Number of concurrent requests to keep open at a time
ab -n 1000 -c 100 https://example.com/

This command sends 1k requests with 100 requests concurrently.

iptables

Using iptables, you can add an extra layer of protection to your server by controlling incoming and outgoing traffic. Here’s a straightforward setup to help secure an Nginx server against common attacks.

1. Install `iptables` (if not already installed)

Most Ubuntu systems come with iptables pre-installed. Check if it’s installed with:

iptables -v

If not installed, install it with:

sudo apt install iptables

2. Allow SSH, HTTP, and HTTPS Traffic

Allow SSH, HTTP, and HTTPS traffic to ensure you can manage the server and serve web content.

# Allow SSH (port 22) for remote access
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow HTTP (port 80) and HTTPS (port 443) for web traffic
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

3. Allow Rules for APT

# Allow Outbound HTTP and HTTPS Traffic
# apt uses HTTP/HTTPS to fetch packages
sudo iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

# Allow DNS Resolution
# apt needs DNS to resolve domain names to IP addresses
sudo iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT

# Ensure related and established connections are allowed
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

4. Limit SSH Connections

If you want to limit SSH connection attempts to prevent brute-force attacks, set a rate limit:

sudo iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/min -j ACCEPT

This rule allows a maximum of 3 SSH connection attempts per minute. Excess attempts will be blocked.

5. Block All Other Traffic (Be Careful)

Block all other incoming traffic for security, except those you specifically allowed. Be careful with this rule, as it blocks all incoming connections not specifically allowed above.

sudo iptables -A INPUT -j DROP

6. Check and Save Your Rules

View current rules with:

sudo iptables -L

Save the rules to apply, so the rules will not lost after rebooting. Use iptables-persistent:

sudo apt install iptables-persistent
sudo netfilter-persistent save

7. How to Delete a Rule

# Identify the Rule’s Line Number
sudo iptables -L INPUT --line-numbers

# Delete the Rule by Its Line Number
sudo iptables -D INPUT <line-number>

Last, But Not Least

Those are all the steps, but remember, implementing Fail2ban, Nginx limit_req, and iptables won’t make your server 100% secure. Keep monitoring your server and web application regularly.

Is Getting AWS Solutions Architect Associate Certification Worth It?

Sat, 19 Oct 2024 11:27:00 +0700

TL;DR: It depends. If your goal is to learn AWS, then it’s definitely worth it. in my role as a Senior Software Engineer, it helped me design applications more effectively because of my deeper understanding of AWS. However, If you’re aiming for career advancement or a better job, the certification alone doesn’t guarantee success. In my case, I transitioned to the Cybersecurity team at my current company, and I believe one of the factors was my AWS Solutions Architect Associate certification.

My Journey to AWS Certification and Its Impact on My Career

In December 2022, my company offered us free AWS training. The training suggested that getting certified was worthwhile. Long story short, I dove deeper into AWS, prepared for the exam, and eventually passed the AWS Solutions Architect Associate exam.

While studying for the certification, my knowledge of AWS expanded exponentially, especially in areas like AutoScaling, VPC, Networking, and IAM. Previously, I only knew how to use EC2, RDS, and S3 but had never set them up from scratch.

I also discovered a wide range of AWS services and gained an understanding of why AWS networks are so robust, including the importance of availability zones. I learned about cross-account AWS connections, and when to choose one service over another, and much more.

As a result, in my role as a Senior Software Engineer, it helped me design applications more effectively because of my deeper understanding of AWS.

In Q2 of this year (2024), I moved to the Cybersecurity team at my current company, and I believe that my AWS Solutions Architect Associate certification was a key factor, along with my software engineering skills and cybersecurity background from college.

Back to certification itself, based on my observations, having the AWS Solutions Architect Associate certification is particularly valuable if you are a freelancer. This certification can help you stand out among other candidates.

If you are a full-time Software Engineer, there’s no strong need to pursue this certification. Instead, focus on deepening your knowledge of AWS services related to your job, such as IAM, RDS, S3, SQS, and SNS. However, if you are a freelancer building applications for clients on AWS, then this certification is definitely worth it.

DevSecOps

Wed, 11 Sep 2024 07:41:00 +0700

In my recent exploration of DevSecOps, below are key practices that can elevate our application security:

Scan git repositories for finding potential credentials leakage. Implement automated tools to detect hard-coded secrets and review commit histories for potential leaks.
SAST (Static Application Security Test). Analyzes your source code for vulnerabilities without executing the program.
SCA (Software Composition Analysis or dependency check). Evaluates third-party libraries and components used in application.
IAST (Interactive Application Security Testing). Automated test, human tester, or any activity “interacting” with the application functionality.
DAST (Dynamic Application Security Test). Checks vulnerabilities (such has XSS) in your running applications.
IaC Scanning (Scanning Terraform, HelmChart code to find misconfiguration).
Infrastructure scanning. Beyond IaC, scanning the actual infrastructure (including networks, servers, and containers) for vulnerabilities is crucial. This practice ensures that your deployed environment is secure and free from common threats and misconfigurations.
Compliance check. Regular compliance checks ensure that our application and infrastructure adhere to industry standards and regulatory requirements

AWS Secrets Manager

Tue, 28 May 2024 06:40:00 +0700

AWS Secrets Manager helps us to manage, retrieve, and rotate database credentials, application credentials, OAuth tokens, API keys, and other secrets throughout their lifecycles. Many AWS services store and use secrets in Secrets Manager.

Enhancing Security Posture

One of the key benefits of using Secrets Manager is the improvement in security posture, because we no longer need hard-coded credentials in application source code. Storing the credentials in Secrets Manager helps avoid possible compromise by anyone who can inspect our application or the components. We replace hard-coded credentials with a runtime call to the Secrets Manager service to retrieve credentials dynamically when our application need them.

Automated Rotation of Secrets

With Secrets Manager, we can configure an automatic rotation schedule for our secrets. This enables us to replace long-term secrets with short-term ones, significantly reducing the risk of compromise. Since the credentials are no longer stored with the application, rotating credentials no longer requires updating the application codes and deploying changes to application clients.

Envelope Encryption

Secrets Manager uses envelope encryption with AWS KMS keys and data keys to protect each secret value. Whenever the secret value in a secret changes, Secrets Manager requests a new data key from AWS KMS to protect it. The data key is encrypted under a KMS key and stored in the metadata of the secret. To decrypt the secret, Secrets Manager first decrypts the encrypted data key using the KMS key in AWS KMS.

Secrets Manager does not use the KMS key to encrypt the secret value directly. Instead, it uses the KMS key to generate and encrypt a 256-bit Advanced Encryption Standard (AES) symmetric data key, and uses the data key to encrypt the secret value. Secrets Manager uses the plaintext data key to encrypt the secret value outside of AWS KMS, and then removes it from memory. It stores the encrypted copy of the data key in the metadata of the secret.

Example Code with Ruby

require 'aws-sdk-secretsmanager'
require 'json'

def get_secret(secrets_client, secret_name)
  # Retrieve the secret from Secrets Manager
  response = secrets_client.get_secret_value({
    secret_id: secret_name
  })
  secret = response.secret_string

  # Parse the secret and remove from memory
  parsed_secret = JSON.parse(secret)
  secret.clear  # Clear the secret from memory
  parsed_secret
end

# Initialize AWS client
region = 'your-region'
secrets_client = Aws::SecretsManager::Client.new(region: region)

# Retrieve the secret_name from environment variable
secret_name = ENV['SECRET_NAME']

# Retrieve the secret using the secret_name
secrets = get_secret(secrets_client, secret_name)
puts secrets

For more best practices on secrets management, consider the OWASP Secrets Management Cheat Sheet, which provides valuable guidance on maintaining secure secrets management practices.

Envelope Encryption

Tue, 14 May 2024 07:11:00 +0700

When you encrypt your data, your data is protected, but you have to protect your encryption key. One strategy is to encrypt it. Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key.

You can even encrypt the data encryption key under another encryption key, and encrypt that encryption key under another encryption key. But, eventually, one key must remain in plaintext so you can decrypt the keys and your data. This top-level plaintext key encryption key is known as the root key.

If you are using AWS, you can perform envelope encryption with AWS Key Management Service (KMS). AWS KMS helps protect your encryption keys by storing and managing them securely. Root keys stored in AWS KMS, known as AWS KMS keys, never leave the AWS KMS FIPS-validated hardware security modules unencrypted. To use a KMS key, you must call AWS KMS.

If you are using Azure, you can use Azure Key Vault for envelope encryption. Azure Key Vault allows you to securely store and manage your encryption keys and secrets. It uses hardware security modules (HSMs) to protect keys at rest and provides secure key management operations.

If you are using Google Cloud Platform (GCP), you can use Google Cloud Key Management Service (Cloud KMS) for envelope encryption. Cloud KMS provides a centralized management system for your encryption keys, which are protected by FIPS-validated HSMs. Cloud KMS integrates seamlessly with other Google Cloud services to help you manage and protect your keys.

Envelope encryption offers several benefits:

Protecting Data Keys

When you encrypt a data key, you don’t have to worry about storing the encrypted data key, because the data key is inherently protected by encryption. You can safely store the encrypted data key alongside the encrypted data.

Encrypting The Same Data Under Multiple Keys

Encryption operations can be time consuming, particularly when the data being encrypted are large objects. Instead of re-encrypting raw data multiple times with different keys, you can re-encrypt only the data keys that protect the raw data.

Combining The Strengths of Multiple Algorithms

In general, symmetric key algorithms are faster and produce smaller ciphertexts than public key algorithms. But public key algorithms provide inherent separation of roles and easier key management. Envelope encryption lets you combine the strengths of each strategy.

Envelope Encryption Example

Suppose we have a plaintext secret “hello-world” and an encryption key “123”.

Initial Encryption

Plaintext	Encryption Key	Encrypted Data
hello-world	123	randomcharacterExample

To secure the encryption key “123”, we use envelope encryption by encrypting “123” with a root key.

Envelope Encryption

Data Key	Root Key	Encrypted Data Key
123	abc	randomchars

Root Key Rotation

Data Key	Root Key	Encrypted Data Key
123	def	randomchars-rotation

When we need to rotate the key, we only rotate the root key “abc”. As a result, we do not have to re-encrypt the data. In this case, the data “hello-world” does not need to be re-encrypted if we change the root key, because only the root key is rotated.

Tutorial - "su username vs su - username" - A Security Perspective

Wed, 01 May 2024 07:17:00 +0700

The main difference between the command line su username and su - username lies in the environment variables that are loaded when switching to the specified user.

su username: This command switches to the specified user account but keeps the current environment variables intact. It does not simulate a full login, so the new shell session inherits the environment of the original user.
su - username or su -l username: This command simulates a full login for the specified user. It resets the environment variables to those defined for the target user, including their home directory, PATH, and other settings specified in their login configuration files like .bash_profile or .bashrc. This is useful when we need to fully assume the identity of another user, including their environment settings.

➜  ~ whoami
currentuser
➜  ~ echo $ZSH
/Users/currentuser/.oh-my-zsh
➜  ~ echo $PATH
/Users/currentuser/.rbenv/shims

# change to "exampleuser" with "su username"
➜  ~ whoami
currentuser
➜  ~ su exampleuser
➜  ~ whoami
exampleuser
➜  ~ echo $ZSH
/Users/currentuser/.oh-my-zsh
➜  ~ echo $PATH
/Users/currentuser/.rbenv/shims
➜  ~ exit
➜  ~ whoami
currentuser

# change to "exampleuser" with "su - username"
➜  ~ whoami
currentuser
➜  ~ su - exampleuser
➜  ~ whoami
exampleuser
➜  ~ echo $ZSH
/Users/exampleuser/.oh-my-zsh
➜  ~ echo $PATH
/Users/exampleuser/.rbenv/shims
➜  ~ exit
➜  ~ whoami
currentuser

su - username provides a cleaner separation between the current user’s environment and the environment of the target user, while su username maintains the current environment.

Security

Using su - username is better from a security standpoint because it provides a more controlled and secure environment for the target user. Here’s why:

Environment Isolation: su - username resets the environment variables to those defined for the target user. This ensures that only the environment variables specifically set for that user are loaded, reducing the risk of accidental execution of potentially harmful commands or scripts from the current user’s environment.
Security Policies: The target user’s login configuration files, such as .bash_profile or .bashrc, can include security policies and settings specific to that user. By using su - username, we can ensure that these policies are applied, enhancing the security of the session.
Path Safety: By loading the target user’s PATH variable, su - username ensures that only the executables accessible to that user are available. This reduces the risk of inadvertently executing a malicious program or script from an unexpected location.
Home Directory Security: su - username changes the working directory to the home directory of the specified user, providing a secure context for file operations. This reduces the risk of accidentally modifying or accessing sensitive files from the current user’s directory.
Logging and Auditing: Using su - username provides clearer audit trails. The system logs will clearly show when a user switches to another user with a full login, making it easier to trace actions back to the responsible user.

su - username ensures a more secure and controlled environment, reducing the risk of security vulnerabilities and accidental misuse of privileges.

Subdomain Hijacking

Sun, 21 Apr 2024 07:24:00 +0700

My dormant subdomain was recently hijacked, redirecting it to a online gamble registration page. Subdomain hijacking or subdomain takeover refers to redirecting unused subdomains to the attacker’s chosen location.

So when opening my subdomain, for example blog.example.com, it shows content from the attacker, which is online gambling registration.

To address this, I must update my DNS settings. The original setting had my subdomain pointing to a broken Github Pages, so I needed to point it to a valid target.

Before:

CNAME: blog.example.com
Target: <github pages url>

After:

CNAME: blog.example.com
Target: <other valid URL>

DNS Mapping Tool

To prevent subdomain hijacking, in addition to checking the DNS from your registrar, you can use a tool called DNS Dumpster. DNS Dumpster is a free domain research tool that can discover hosts related to a domain. Finding visible hosts from the attacker’s perspective is an important part of the security assessment process.

Remember to monitor your subdomain targets or delete unused ones.

C# DbContext ServiceLifeTime

Sun, 19 Nov 2023 14:11:00 +0700

In .NET Core, we can control the lifetime of our services, including DbContext, by specifying the appropriate ServiceLifetime. The choice of service lifetime depends on application’s requirements.

Here are some common service lifetimes and when to use them:

Transient: A new instance of the service is created every time it’s requested. This is suitable for stateless services or services that have a very short lifespan.
Scoped: A single instance of the service is created for each HTTP request. Scoped services are suitable for scenarios where you want to share the same instance of a service within the scope of a single request. In ASP.NET Core, this is often used for DbContext instances in a web application. Each HTTP request gets its own DbContext, and the DbContext is disposed at the end of the request.
Singleton: A single instance of the service is created for the lifetime of the application. This is suitable for stateless services that can be reused across all requests.

I only have experience with C# Worker service to consume messsage from a queue. For DbContext instances, I usually choose Transient because my C# worker working independently with each message.

When using Transient lifetime, a new instance of the DbContext will be created for each operation, ensuring that each message is handled in isolation without sharing the same DbContext instance across messages.

Here’s an example of registering a scoped DbContext in .NET Core Program.cs:

// Assuming we have a ExampleDbContext class
services.AddDbContext<ExampleDbContext>(options =>
{
    options.UseNpgsql(connectionString, db => db.EnableRetryOnFailure(5));
}, ServiceLifetime.Transient);

KAK Labs

LLM Tool Recommendations with Better Privacy and Security

AI Chat Bot

Coding Assistant

KAK Labs Newsletter #7 – Deepening My Application Security Journey

From The World

Useful built-in macOS command-line utilities

What I Wish Someone Told Me About Postgres

Latency Comparison Numbers for Rails

Rails Is Better Low Code Than Low Code

Rails for Everything

Recent Blog Posts

PostgreSQL Index Usage Monitoring

C# DbContext ServiceLifeTime

Subdomain Hijacking

Tutorial - “su username vs su - username” - A Security Perspective

Envelope Encryption

AWS Secrets Manager

DevSecOps

Is Getting AWS Solutions Architect Associate Certification Worth It?

How to Defend Against Brute-Force and DoS Attacks with Fail2ban, Nginx limit_req, and iptables

How to Defend Against Brute-Force and DoS Attacks with Fail2ban, Nginx limit_req, and iptables

What is Brute-Force Attack and Denial-of-Service Attack?

Brute-Force Attack

Denial-of-Service (DoS) Attack

Fail2ban

How to Install fail2ban on Debian / Ubuntu

How to Setup fail2ban

1. Configure the Default Jail Settings

2. Enable and Customize Jails for SSH Protection

3. Enable nginx-limit-req and nginx-botsearch Jails

4. Restart Fail2ban and Verify Configuration:

5. Test Fail2ban Functionality:

6. View Active Bans and Unban IPs if Necessary:

Nginx limit_req

Nginx limit_req Nodelay

What nodelay Does

When to Use nodelay

When Not to Use nodelay

Example Configuration

Simulate Flood to Web Server

iptables

1. Install iptables (if not already installed)

2. Allow SSH, HTTP, and HTTPS Traffic

3. Allow Rules for APT

4. Limit SSH Connections

5. Block All Other Traffic (Be Careful)

6. Check and Save Your Rules

7. How to Delete a Rule

Last, But Not Least

Is Getting AWS Solutions Architect Associate Certification Worth It?

My Journey to AWS Certification and Its Impact on My Career

DevSecOps

AWS Secrets Manager

Enhancing Security Posture

Automated Rotation of Secrets

Envelope Encryption

Example Code with Ruby

Envelope Encryption

Protecting Data Keys

Encrypting The Same Data Under Multiple Keys

Combining The Strengths of Multiple Algorithms

Envelope Encryption Example

Initial Encryption

Envelope Encryption

Root Key Rotation

Tutorial - "su username vs su - username" - A Security Perspective

Security

Subdomain Hijacking

DNS Mapping Tool

C# DbContext ServiceLifeTime

What `nodelay` Does

When to Use `nodelay`

When Not to Use `nodelay`

1. Install `iptables` (if not already installed)