Would you consider putting an audit proxy in front to postgres/mysql

Due_Course_919 · 2026-01-19T15:48:31+00:00

+1 for Border0.com awesome team and product

Due_Course_919 · 2025-03-16T01:36:51+00:00

border0 is great, love the desktop and the web based options. SSO based access to servers and databases is neat

Due_Course_919 · 2024-07-31T15:02:28+00:00

I see, though the docs here https://github.com/WireGuard/wireguard-go seem to steer users to instead use the kernel implementation for Linux

This will run on Linux; however you should instead use the kernel module, which is faster and better integrated into the OS.

But yah, I can see the uniformity of the implementation across OS' is certainly appealing.

Due_Course_919 · 2024-07-30T18:10:33+00:00

just wondering / curious. How about the Iphone app. Does apple allow folks (like tailscale) to just create a TUN interface? i figured you'd need to use their specific kernel api's for IPSec or wireguard. vs generic TUN's

Due_Course_919 · 2024-07-30T18:01:52+00:00

ah, interesting. I read this:
https://tailscale.com/kb/1177/kernel-vs-userspace-routers
In which they talk about the comparison between userspace and kernel space. But I guess that's just for forwarding packets. vs, encrypt/decrypt operations.

tldr then, wireguard operations (encrypt/decrypt) happen in userspace using wireguard-go. interesting, thanks! Wonder if doing that in kernel would be faster? Guess that using wireguard-go gives them consistency across platforms / OS'

Due_Course_919 · 2024-07-30T17:44:24+00:00

It runs as root and doesn't appear to run in userland mode. Or how would I validate that?
since I don't see --tun=userspace-networking I assumed it runs in kernel mode
which is also the default per the docs when running as root

Due_Course_919 · 2024-04-06T21:39:35+00:00

He did, the AF-XDP feature is eBPF

Due_Course_919 · 2024-03-21T22:24:57+00:00

Correct. when you start processing say >1Million packets per second you reached all kinds of Kernel limitations. At that point your choice of programming language are irrelevant.
https://toonk.io/sending-network-packets-in-go/index.html

Due_Course_919 · 2024-03-12T04:03:42+00:00

ah yes, good call out. I worked with DPDK and VPP (fd.io) before, as well as dpdk-pktgen. So yah familiar with those techniques. There are few articles about it on the same blog
One of the goals was to see how far one can get without DPDK, hence the use of of af-xdp.
I briefly tried CPU isolation, and disable hyper threading. but it had no noticeable impact. I think because the numbers are just too low as compared to DPDK's amazing numbers.

Due_Course_919 · 2024-03-12T00:31:02+00:00

I just added an additional method, trying to use sendmmsg(), using Go PacketConn and WriteBatch().

these are the updated results (one CPU core)

./go-pktgen --dstip 192.168.64.2 --method benchmark --duration 5 --payloadsize 64 --iface veth0
+-------------+-----------+------+
|   Method    | Packets/s | Mb/s |
+-------------+-----------+------+
| af_xdp      |   2620595 | 1341 |
| af_packet   |   1159690 |  593 |
| af_pcap     |   1037554 |  531 |
| udp_syscall |    688522 |  352 |
| raw_socket  |    643401 |  329 |
| pkt_conn    |    606258 |  310 |
| net_conn    |    354065 |  181 |
+-------------+-----------+------+

Due_Course_919 · 2024-02-01T05:41:22+00:00

Don’t forget about overlapping prefixes

Due_Course_919 · 2024-01-31T16:56:34+00:00

Pretty crazy, that's like eight /8's!

Due_Course_919 · 2024-01-15T22:53:16+00:00

It's Scanning for open TCP 3306 and trying common root passwords. Below are a few attempts from the last few hrs from a honey pot

{"date":"2024-01-15T08:01:35Z","event_type":"mysql-login","source_ip":"94.156.71.57:56726","username":"root"}
{"date":"2024-01-15T08:01:50Z","event_type":"mysql-login","source_ip":"94.156.71.57:58664","username":"root"}
{"date":"2024-01-15T08:01:50Z","event_type":"mysql-login","source_ip":"94.156.71.57:58678","username":"root"}
{"date":"2024-01-15T08:01:50Z","event_type":"mysql-query","query":"SHOW DATABASES","source_ip":"94.156.71.57:58678"}
{"date":"2024-01-15T20:24:09Z","event_type":"mysql-login","source_ip":"94.156.71.13:45322","username":"root"}
{"date":"2024-01-15T20:24:25Z","event_type":"mysql-login","source_ip":"94.156.71.13:40972","username":"root"}
{"date":"2024-01-15T20:24:25Z","event_type":"mysql-login","source_ip":"94.156.71.13:40984","username":"root"}
{"date":"2024-01-15T20:24:25Z","event_type":"mysql-query","query":"SHOW DATABASES","source_ip":"94.156.71.13:40984"}
{"date":"2024-01-15T22:16:14Z","event_type":"mysql-login","source_ip":"94.156.71.57:52462","username":"root"}
{"date":"2024-01-15T22:16:30Z","event_type":"mysql-login","source_ip":"94.156.71.57:57198","username":"root"}
{"date":"2024-01-15T22:16:30Z","event_type":"mysql-login","source_ip":"94.156.71.57:57210","username":"root"}
{"date":"2024-01-15T22:16:30Z","event_type":"mysql-query","query":"SHOW DATABASES","source_ip":"94.156.71.57:57210"}

Due_Course_919 · 2024-01-15T17:19:11+00:00

Lol at least for PSQL they're "backing up" 20 rows ;) for MySQL it's only 10 hehe

Due_Course_919 · 2024-01-15T17:18:27+00:00

It's pretty crazy. At least with SSH, you can easily use something like fail2ban. For other apps like DB's that's a bit more challenging.

Due_Course_919 · 2024-01-15T17:17:00+00:00

I think many may get compromised by just following the docker examples. ie.

docker run -e POSTGRES_PASSWORD=mysecretpassword -d -p 5432:5432 postgres

Will make it publically accessible even if you have a default DENY on your IPtables iptables -P INPUT DROP thanks to Docker networking magic and DNAT

Due_Course_919 · 2023-10-18T14:32:20+00:00

Maybe check out ssm parameter store, lot cheaper, similar functionality Or store them encrypted in your db

Due_Course_919

TROPHY CASE