Securing your bastion hosts with Amazon EC2 Instance Connect

posted Aug 28, 2019, 7:50 AM by Chris G   [ updated Aug 28, 2019, 7:51 AM ]

In a previous blog post, I discussed how you can use AWS Systems Manager Session Manager to securely connect to your private instances in your virtual private cloud (VPC) without needing an intermediary bastion host, open ports, or a key pair assigned to the instances. In this post, I cover how you can improve the security of your existing bastion hosts by using Amazon Elastic Compute Cloud (Amazon EC2) Instance Connect. I also demonstrate how you can use an AWS Lambda function to automate your security group configuration to allow access from the published IP address range of the EC2 Instance Connect service. This is necessary if you want to connect to your instances using Instance Connect from the Amazon EC2 console.

stop disabling SELinux

posted Feb 15, 2019, 7:51 AM by Chris G   [ updated Feb 15, 2019, 7:52 AM ]

Seriously, stop disabling SELinux.
Learn how to use it before you blindly shut it off.

Every time you run setenforce 0, you make Dan Walsh weep.
Dan is a nice guy and he certainly doesn't deserve that.

JSON Web Token

posted Jun 14, 2018, 6:55 AM by Chris G   [ updated Jun 14, 2018, 6:57 AM ]

What is JSON Web Token?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA.

Although JWTs can be encrypted to also provide secrecy between parties, we will focus on signed tokens. Signed tokens can verify the integrity of the claims contained within it, while encrypted tokens hide those claims from other parties. When tokens are signed using public/private key pairs, the signature also certifies that only the party holding the private key is the one that signed it.

GnuPG - The GNU Privacy Guard

posted May 12, 2018, 8:26 AM by Chris G   [ updated May 12, 2018, 8:27 AM ]

GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. GnuPG also provides support for S/MIME and Secure Shell (ssh).

Boxcryptor - Security for your Cloud

posted May 12, 2018, 8:24 AM by Chris G   [ updated May 12, 2018, 8:24 AM ]

Boxcryptor for Individuals

Boxcryptor encrypts your sensitive files and folders in Dropbox, Google Drive, OneDrive and many other cloud storages. It combines the benefits of the most user friendly cloud storage services with the highest security standards worldwide. Encrypt your data right on your device before syncing it to the cloud providers of your choice.

Boxcryptor is free to use with one cloud storage provider on two devices. 

Inspec - Compliance as code

posted May 1, 2017, 9:57 AM by Chris G   [ updated May 1, 2017, 9:58 AM ]

InSpec is an open-source testing framework for infrastructure with a human-readable language for specifying compliance, security and other policy requirements. When compliance is code, you can integrate automated tests that check for adherence to policy into any stage of your deployment pipeline.

This tool can also be used to validate the deployment of new systems by describing what should/should not be installed. Great stuff!

Salted Password Hashing - Doing it Right

posted Mar 13, 2017, 1:22 PM by Chris G

A very nice article with examples:

Let’s Encrypt: Delivering SSL/TLS Everywhere

posted Nov 19, 2014, 6:15 PM by Chris G

Let’s Encrypt is a new Certificate Authority: 
It’s freeautomated, and open
Arriving Summer 2015

An Introduction to the JS WebCrypto API

posted Oct 29, 2014, 11:44 AM by Chris G   [ updated Oct 29, 2014, 11:45 AM ]

Keeping Secrets with JavaScript - An Introduction to the WebCrypto API

Kippo SSH honeypot

posted Sep 17, 2014, 7:49 PM by Chris G   [ updated Sep 17, 2014, 7:49 PM ]


Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.


  • Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
  • Possibility of adding fake file contents so the attacker can 'cat' files such as /etc/passwd. Only minimal file contents are included
  • Session logs stored in an UML Compatible format for easy replay with original timings
  • Just like Kojoney, Kippo saves files downloaded with wget for later inspection
  • Trickery; ssh pretends to connect somewhere, exit doesn't really exit, etc


Software required:

  • An operating system (tested on Debian, CentOS, FreeBSD and Windows 7)
  • Python 2.5+
  • Twisted 8.0+
  • PyCrypto
  • Zope Interface

1-10 of 25