Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
would you classify out of band whitelisting by IP (or other session characteristic[s]) as having no security merit whatsoever?
would you classify it as purely a decision regarding network congestion & optimisation?
you're ofc free to define these things however you wish, but in a form which is helpful to OP's question i'm not sure i follow you.
I just wanted to make clear that port knocking is obscurity and maintaining and configuring your still public facing services in a secure manner is essential. There are best practices which I did not define and are applicable here.
If you whitelist your IP that of course helps but I am not sure what that has to do with port knocking. Whitelisting an IP after it knocked right, that would be obscurity. Whitelisting an IP after it authenticated through a secure connection with secure credentials? Why not just use VPN?
I am also not directly commenting on OPs question, as I try to tackle missconceptions in the comments.
if you can't work out what knocking might have to do with whitelisting then i'm not sure what you hoped to contribute towards reducing misconceptions in the conversation
You wrote:
without specifying further. How am I supposed to work out what you mean? I did a guess in my last answer and you seem not to care about a discussion on the topic but instead now question me. I
ok fair enough, sorry i may have misinterpreted what you meant.
it sounds like your argument is that if the attacker doesn't know the service is running then the assertion that this reduces the risk profile is classified as an obscurity control - this argument is correct under these conditions.
however, certain knocking configurations are not obscurity, because their purpose & value does not depend on the hope that the attacker is unaware of the service's existence but rather to reduce the attacker's window of access to the service with a type of out of band whitelisting. by limiting the attacker's access to the service you are reducing the attack surface.
you can imagine it like a stack call trace, the deeper into the trace you go, every single instruction represents the attack surface getting larger and larger. the earlier in the trace you limit access to the attacker, you are by definition reducing the attack surface.
in case i've misinterpreted what you meant. susceptibility to a replay attack does not mean something isn't a security measure. it means it's a security measure with a vulnerability. ofc replay attacks in knocking is a well known problem addressed long ago.
perhaps the other source of miscommunication is for us to remember that security is about layers, because no single layer is ever going to be perfect.