exekewtable@reddit
We use rustguac and knocknoc. Fast free (rustguac) easy to use. Knocknoc keeps it locked down. all html, all self hosted. Session recording, oidc, RDP, Linux, windows, SSH jumping.
exekewtable
Bomgar alternatives
Posted by HPFOC@reddit | sysadmin | View on Reddit | 26 comments
Suggestions for modern VPN solution
Posted by yowanvista@reddit | sysadmin | View on Reddit | 113 comments
exekewtable@reddit
Have you tried Knocknoc in the mix? We use it for this exact purpose in similar networks. It was actually invented to lock down Guacamole. There is also rustguac now if you want another option to look at. Knocknoc and haproxy might get you a long way here.
Cve-2026-31431 medium unpriv to root
Posted by heisenbugtastic@reddit | sysadmin | View on Reddit | 10 comments
exekewtable@reddit
Another example : Wordpress plugins are often running as an unprivelged user and are basically arbitrary code. This takes a hostile WordPress plugin from deface your site to deface all the sites on the box.
Isolating manufacturing machine network
Posted by Hugo825@reddit | sysadmin | View on Reddit | 40 comments
exekewtable@reddit
We use knocknoc for this. Sso brokered access control, allows you through the reverse proxy or firewall for the smallest possible time. OT machines live by different rules so all we can do is super isolate them. Knocknoc means we can balance security and convenience in a sensible way. Click to grant and ticket reference features are used to add accountability and workflow.
(OSS) Remote Desktop platform (Ongoing Development)
Posted by PsycoCR@reddit | sysadmin | View on Reddit | 11 comments
exekewtable@reddit
Have a look at rustguac perhaps. https://github.com/sol1/rustguac
Best cloud proxy or SASE alternatives to Zscaler for remote users?
Posted by Efficient_Agent_2048@reddit | sysadmin | View on Reddit | 30 comments
exekewtable@reddit
Routing all your stuff through someone else isn't zero trust. It's maximum trust. We simply use Knocknoc for access to onprem stuff and it works great. It lets us lock down VPNs, sites, SSH etc. takes advantage of the security built in already simply by removing attack surface. It's a quite a different take on the problem, but once you get it, it's amazing .
Not sure if this exists, but does anyone know of an open source DNS list of known malicious sites or IPs to block on firewalls?
Posted by bobert3275@reddit | sysadmin | View on Reddit | 24 comments
exekewtable@reddit
Or you could just block everything and use knocknoc. Works great for firewalls.
Can't see any Linux sysadmin jobs
Posted by ---Agent-47---@reddit | linuxadmin | View on Reddit | 52 comments
exekewtable@reddit
Send me a pm. I might have a job for you.
DNS question
Posted by HighBlind@reddit | sysadmin | View on Reddit | 109 comments
exekewtable@reddit
Switch to powerdns, and use LUA records. Drop on replacement for bind and will do just what you want.
Simple but Effective SSH Rate Limiting with PAM and nftables
Posted by c0l0@reddit | linuxadmin | View on Reddit | 12 comments
exekewtable@reddit
No but you get 1 free licence with rego
We integrate with Slack/Teams/PagerDuty/etc. Why is ServiceNow $50k + red tape?
Posted by WhenSingularity@reddit | sysadmin | View on Reddit | 34 comments
exekewtable@reddit
I have had exactly the same experience.
Heads-up: Atlassian is sunsetting Data Center by March 2029.
Posted by LorinaBalan@reddit | sysadmin | View on Reddit | 40 comments
exekewtable@reddit
We moved from xwiki to bookstack and haven't looked back.
LInux-based "Jump Box" for secure network and server admin
Posted by jhdore@reddit | linuxadmin | View on Reddit | 10 comments
exekewtable@reddit
We use knocknoc , guacamole and ubuntu with ssh or xrdp enabled. Works great! SAML auth for everything
What solutions do you use for IT asset management (devices, IPs, versions, etc.)?
Posted by gonchaa0_0@reddit | sysadmin | View on Reddit | 33 comments
exekewtable@reddit
Same. With inventory plus plugin
best ZTNA tools 2025?
Posted by Accomplished-Wall375@reddit | sysadmin | View on Reddit | 45 comments
exekewtable@reddit
That zscaler was/is training their AI on all your data is hectic to me. Why would anyone use them to decode tls then train an LLM on it? Hectic.
So glad we went with Knocknoc, super simple actual Zero trust. Self hosted, bolt on, easy to use, no spying.
Do you have an LB for DNS pointing to ADDS servers?
Posted by NotYourOrac1e@reddit | sysadmin | View on Reddit | 25 comments
exekewtable@reddit
Yes, DNS dist and pdns recursor. Relying on AD DNS as a recursor is a very windows centric view.
Connect to a website from a static IP address
Posted by Critical-King-7349@reddit | sysadmin | View on Reddit | 32 comments
exekewtable@reddit
We use knocknoc for this. It's exactly suited to this use case.
Modern Alternatives to SSL VPNs. What’s Actually Working Long Term?
Posted by jul_on_ice@reddit | sysadmin | View on Reddit | 157 comments
exekewtable@reddit
We are super happy with Knocknoc. It's probably a drop in solution for your org, and let's you tick all those in boxes without a magic cloud or complicated routing.
It lets you build a solid zero trust solution where it matters, reducing your attack surface, without the expense or hassle of a complicated magic cloud.
Knocknoc.io in case you can't find it.
Debian 13 released!
Posted by sdns575@reddit | linux | View on Reddit | 76 comments
exekewtable@reddit
Fusionpbx is the way. Free switch GUI based on debian
IP Address Tracking Tool
Posted by Sigma186@reddit | sysadmin | View on Reddit | 26 comments
exekewtable@reddit
Netbox is better than phpipam as it kinda forces you to record more stuff than just the IP. Phpipam might be fine if you want a slight bit better than a spreadsheet, but Netbox is worth it. Once you realise how you can use Netbox as the heart of your automation a whole new world opens up. Ansible, provisioning, monitoring, reporting. All powered from the Netbox API.
PSA: Entra Private Access is better than traditional VPN IMO
Posted by FatBook-Air@reddit | sysadmin | View on Reddit | 116 comments
exekewtable@reddit
We switched a customer away to Knocknoc, as they wanted even less attack surface. You still get entra integration with NSG or lockdown etc. But no magic cloud or routing. Works good.
It’s time to move on from VMware…
Posted by A3V01D@reddit | sysadmin | View on Reddit | 652 comments
exekewtable@reddit
Proxmox has ceph as a first class citizen, so you can do an hci style cluster for your main workloads, and grow extra storage out the back on bigger storage oriented nodes. Ceph will let you scale and be flexible to mix and match. 1PB is nothing for ceph.
Large on-premise monitoring
Posted by Specialist-Desk-3130@reddit | sysadmin | View on Reddit | 54 comments
exekewtable@reddit
We use icinga2 driven by NetBox config for large (even larger than yours) envs. You need config automation at scale. We add on grafana, alerta, meerkat, other stuff depending on need .
Insider threat discussion - recent Coinbase hack brought up questions of what to do
Posted by Nola_Dazzling@reddit | sysadmin | View on Reddit | 30 comments
exekewtable@reddit
We use Knocknoc to effectively add/retrofit dynamic firewall rules on our lan/assets. This means only certain users at certain times, can only even begin to connect to things. Of course do all the other stuff people suggested, but once you consider that you probably trust certain network segments to not be compromised, you realize you need finer grained controls. Knocknoc let us retrofit these network controls without having to do a major redesign.
Virtual Sockets
Posted by divyang_space@reddit | linuxadmin | View on Reddit | 9 comments
exekewtable@reddit
Haproxy can do TCP with health checks and timeouts
I set up Fail2Ban yesterday on my VPS, you can't make this shit up...
Posted by a_deneb@reddit | sysadmin | View on Reddit | 226 comments
exekewtable@reddit
Knocknoc fixes this for me. Let's you block everything and dynamically allow your IP when you login .
RDP without a VPN client
Posted by BigPoppaPump36@reddit | sysadmin | View on Reddit | 158 comments
exekewtable@reddit
Knocknoc and guacamole is our go-to for this. Haproxy in front of guacamole, with knocknoc regulating access.
what are you using as a source of truth (inventory)
Posted by crankysysadmin@reddit | linuxadmin | View on Reddit | 33 comments
exekewtable@reddit
NetBox.
RDP without the risk: Cloudflare's browser-based solution for secure third-party access
Posted by tepitokura@reddit | sysadmin | View on Reddit | 21 comments
exekewtable@reddit
Ironrdp is less featured. But hey it's rust, so it must be better right?
Knocknoc and guacamole is gonna be hard to beat for me still .
KVM geo-replication advices
Posted by async_brain@reddit | linuxadmin | View on Reddit | 61 comments
exekewtable@reddit
Proxmox backup server with backup and automated restore. Very efficient, very cheap. You need Proxmox on the host though.
Wondering if there is anyone who can help on pfsense and pomerium
Posted by sniffingsock@reddit | sysadmin | View on Reddit | 7 comments
exekewtable@reddit
Have you checked out knocknoc for this? It has a backend agent that you can run and integrate that with anything. Pfsense no worries.
Client wants international access to web portal...
Posted by tech-grift@reddit | sysadmin | View on Reddit | 12 comments
exekewtable@reddit
We use Knocknoc for this. Let's us authenticate users and allow them
Integrates perfectly with haproxy for websites.
To those who successfully migrated VMWare to Proxmox or Hyper-V how did it go?
Posted by bobmlord1@reddit | sysadmin | View on Reddit | 68 comments
exekewtable@reddit
PBS can do this
Favorite NTP Server?
Posted by tttekev@reddit | sysadmin | View on Reddit | 148 comments
exekewtable@reddit
Or to put it more succinctly, a man with one watch knows the time, a man with two watches is never sure. Stolen from the Meinberg site.
Favorite NTP Server?
Posted by tttekev@reddit | sysadmin | View on Reddit | 148 comments
exekewtable@reddit
meinberg are the clear favourite in broadcast from what I see.
what do you prefer as monitoring software/system?
Posted by satisfaction_olaf@reddit | sysadmin | View on Reddit | 97 comments
exekewtable@reddit
Lots of people are, they just aren't on Reddit. Icinga2 and Netbox for monitoring automation is my favourite combo. Making monitoring config sustainable with changing network data is the end goal.
It's one thing to have pretty graphs and blinking lights, another to build a system that scales and lasts.
Simple but Effective SSH Rate Limiting with PAM and nftables
Posted by c0l0@reddit | linuxadmin | View on Reddit | 12 comments
exekewtable@reddit
Sure. Not everyone can run wireguard for both server and client reasons. The original post wasn't about wireguard though. The reality of lots of infrastructure is you gotta balance what you have with what you can bear. It's a compromise between security and convenience.
Knocknoc is super handy, you can just allow SSH itself directly once you get it going, no wireguard needed. Hook it into haproxy and you get layer 7 access control. But these are different problems. A VPN means you can modify the routing table of the client, not everyone can do that. But if you can, why not both? Or not? It's good to have choice.
Simple but Effective SSH Rate Limiting with PAM and nftables
Posted by c0l0@reddit | linuxadmin | View on Reddit | 12 comments
exekewtable@reddit
The webserver is somewhere else on the Internet. From the POV of an attacker, how are they meant to know that this random website opens a port on your firewall somewhere else? The risk profile for self hosting is very measurable, stick the server on your own DO droplet, agent behind your firewall out to the droplet. You can see what is going on pretty easy at both ends, and lock that down. If you really want you can run Knocknoc in a purely passive sense now, it just publishes a list of ips which your firewall can fetch. This is for the EDL feature of panos, junos etc and we set it up for a customer recently. Works well, and their VPN isn't on the Internet anymore.
Even compromise of the server should only mean now an attacker can get your IP. Then they can go after your firewall. Which is how defense in depth works. It's about adding layers, and zero day and brute force are very real threats, which the OP was about.
Simple but Effective SSH Rate Limiting with PAM and nftables
Posted by c0l0@reddit | linuxadmin | View on Reddit | 12 comments
exekewtable@reddit
Interesting take. Knocknoc gives you the ultimate in control, perhaps take another look at it? It means your VPN port is not open either until you auth somewhere else. An attacker looking at your machine sees an open wireguard port, so your exposure is limited to the (excellent) wireguard key management code.
Knocknoc allows you to have that port closed until you need it, and only from your source address. So we have a Knocknoc agent on VPN headends, only opening the ports to the source IP of authenticated users, who authenticated on the Knocknoc server somewhere else. The agent is outbound, so no ports are open at all on the target machine. Of course if you only have 1 IP or one environment, putting it all on the one machine ( agent and server) means port 443 is open.
Knocknoc free is limited to one user, which is a bit stingy. I hope they ease up a bit on that soon. But silent orchestration is the way to go, with zero attack surface.
Simple but Effective SSH Rate Limiting with PAM and nftables
Posted by c0l0@reddit | linuxadmin | View on Reddit | 12 comments
exekewtable@reddit
We recently switched all our jumpboxes to use Knocknoc and it's been wonderful. Slides right into our way of working. Even allows us to have some customers co-manage certain machines as it can mix local and Saml auth.
What's a good nerd show/podcast to play while working?
Posted by battletactics@reddit | sysadmin | View on Reddit | 107 comments
exekewtable@reddit
Risky.biz has some great cyber security banter.
Do you know a company where you can buy a periodic port scanning at scale (a lot IPs and all ports)?
Posted by unihilists@reddit | sysadmin | View on Reddit | 49 comments
exekewtable@reddit
Runzero does this for you.
Attack surface mapping is the term you want to search for.
Use knocknoc for attack surface reduction.
Vaultwarden: would your broke org use it?
Posted by Small-Double-9569@reddit | sysadmin | View on Reddit | 55 comments
exekewtable@reddit
Sorta, not really. It's completely self hosted. And orchestrates your own haproxy. So similar effect, but completely different design.
Remote Desktop Gateway Alternatives
Posted by officeboy@reddit | sysadmin | View on Reddit | 109 comments
exekewtable@reddit
Yep. Means the guacamole login prompt is 403 until Sso/MFA auth
Remote Desktop Gateway Alternatives
Posted by officeboy@reddit | sysadmin | View on Reddit | 109 comments
exekewtable@reddit
We use Knocknoc and guacamole. It's an awesome experience. Perfect for your size
Vaultwarden: would your broke org use it?
Posted by Small-Double-9569@reddit | sysadmin | View on Reddit | 55 comments
exekewtable@reddit
Yeah agreed. We keep ours behind knocknoc, which is an easier ask than VPN for this kind of thing. https://knocknoc.io
Linux Desktop Management Solution
Posted by Severus157@reddit | linuxadmin | View on Reddit | 34 comments
exekewtable@reddit
Jumpcloud can do this and much more. You don't get a lot of batteries with the Linux agent, but it does work ok, and the whole solution can probably work with whatever else you have .
Load ipset on reboot, before iptables - Ubuntu?
Posted by Spparkee@reddit | linuxadmin | View on Reddit | 6 comments
exekewtable@reddit
https://docs.knocknoc.io/books/admin-guide/page/ipsets-with-ufw
Best DCIM Solution
Posted by JoeyFromMoonway@reddit | sysadmin | View on Reddit | 9 comments
exekewtable@reddit
Netbox has changed a lot very recently as Netbox Labs has grown and taken charge. I have seen them be much more customer focused and there is a team of people working on it to be more sustainable and flexible. I agree this used to be a problem, but recently it has definitely shifted.
Is `systemd-timesyncd` suitable for use on servers?
Posted by lightnb11@reddit | linuxadmin | View on Reddit | 28 comments
exekewtable@reddit
I have had drift on timesyncd and ntpd, where chrony has none, on virtual machines.