Complementing GuardDuty: DNS Exfiltration Detection and Protection in under 60 seconds with AWS DNS Firewall, Athena, Glue, S3, and Lambda

Complementing GuardDuty: DNS Exfiltration Detection and Protection in under 60 seconds with AWS DNS Firewall, Athena, Glue, S3, and Lambda

In under 2 minutes from receiving DNS traffic, I built an AWS integration that automatically detects high-frequency DNS queries (potential data exfiltration attempts) and immediately adds blocking rules to Route 53 DNS Firewall to prevent further data transmission. This post demonstrates real-time DNS threat detection and automated protection using AWS services.

June 3, 2025 • 11 min read

Protecting from a real redis vulnerability using read-only, distroless and security profiles with containers

Protecting from a real redis vulnerability using read-only, distroless and security profiles with containers

After reading a blog post from SysDig on 'Compromising Read-Only Containers with Fileless Malware' By Nicholas Lang, I wanted to explore alternative ways to mitigate the same vulnerability. An example of how to protect from a real vulnerability using a combination of read-only, distroless and a security profile in docker. The security profile alone would have worked but following defense in depth, it is good practice to apply all three.

May 9, 2022 • 8 min read

Limiting Docker Resources

Limiting Docker Resources

Limiting CPU and Memory with Docker

April 7, 2022 • 3 min read

Disable inter-container communication

Disable inter-container communication

Here I learn how the --link arg is now legacy and that icc=false is a recommended security practice as it disables communications on the default bridge network. To allow containers to communicate with icc=false you need to use custom networks.

April 1, 2022 • 6 min read

Distroless NGINX with a readonly filesystem

Distroless NGINX with a readonly filesystem

A distroless NGINX container running with a readonly filesystem

March 22, 2022 • 4 min read

Distroless NGINX

Distroless NGINX

A distroless NGINX container with less than 10 processes and under 30MB in size

March 21, 2022 • 4 min read

Show which directories have uncommitted changes in git

Similar to my last post, when working with many different git repositories in a single directory, I want to quickly see which of the directories have changes which I have not yet comitted. Another small script I made does this and I find it very useful. First step is to create the alias. I have called it dchanges as in distributed changes command. git config --global alias.dchanges '!bash ~/scripts/git/gitdchanges.sh' Next make sure the directory exists.

March 17, 2022 • 1 min read

Git log over multiple local repos

I find my self at work executing a for loop in bash in order to get some information out of multiple git repos in one hit. This time I thought it would be useful to create a small script (the thing I keep executing) and to invoke it from a git alias. First step is to create the alias. I have called it dlog as in distributed log command. git config --global alias.

March 16, 2022 • 1 min read

How to fix chmod -x /usr/bin/chmod

I was asked this question years ago (and didnt know the answer then) and just recently I found a question and answer on Stackoverflow which basically solved this using python so I thought it would be fun to draw it out a little further. Once you have executed chmod -x /usr/bin/chmod (or in other words you have removed executable permissions from a common tool that is used to change the permissions of files including execution) you will no longer be able to use it to make things executable including chmod.

October 5, 2021 • 3 min read

Local PGSQL Docker Utility

This is a small set of bash scripts to make it really simple to start, stop, connect and load scripts into a local postgres database. This uses docker, it sets up trust with the host so it can connect using the psql client. It also sets up a local volume in the directory which you launch the utility from which allows the container instances themselves to be transient but still giving you control to destroy the state when required.

June 17, 2020 • 2 min read

Enumerating Github Repositories in Bash

I needed to get a list of all the repositories for a specific Github Organisation. Github limits the page size which you have use which ruled out a single call with a large value. I was also writing this routine in bash and less is more as they say. My approach was very simplistic in that it simply tried an incrementing value for next page and if the response was empty then the end of the list had been reached.

August 19, 2019 • 1 min read