1copenut / homelab-learning Goto Github PK
View Code? Open in Web Editor NEWBuilding a homelab is hard work. I'm taking notes :)
License: MIT License
Building a homelab is hard work. I'm taking notes :)
License: MIT License
It's a fantastic monitoring tool, and looks easy to install! https://www.youtube.com/watch?v=fYl5poBJtE4
Port scanning. It's a neutral activity, all in the intent. These seem like good starting points:
Portswigger Academy has free courses for learning websec. I think it'd be good to start with the section on XSS cross-site scripting.
So now that the rack is up and running, it might be worth moving the homelab tower into a 2U or 3U 4U rack and stacking it.
Has to be a 4U to fit an ATX style power supply unit.
This video by Lawrence Systems has a great rundown of the basics to add:
https://www.youtube.com/watch?v=oOWjHeqbWUE
Install the pfSense firewall on new APU hardware. Ensure you have installed it with ZFS--pfSense does not like power loss and ZFS is a better way to keep things running smoothly.
Failing to plan is planning to fail. Diagram out your flow of traffic from firewall ports to switches, and how you might divide VLANs.
Consider things like:
Pi-hole still relies on an upstream DNS provider like Cloudflare (1.1.1.1) or Google (8.8.8.8) and maybe that's okay. Or maybe I want to be my own DNS server. Unbound might be one way to get there. Things to consider:
If I'm running Pi-hole for ad sinks, does it make sense to add a second, redundant Pi-hole server? Maybe it does. Considerations:
Not sure I'll ever get true 1GB throughput for the money I'm spending, but this guide makes it a whole lot better:
https://teklager.se/en/knowledge-base/apu2-1-gigabit-throughput-pfsense/
The fans were way too noisy to run in an office. So left a couple panels open for now and ordered new ones.
After talking to J last night, there's a ton of good stuff and should not be skipped. So...
You've learned a lot from this adventure. Let's write about it. If nothing else, it pushes you to get the website pushed to prod already. :)
There's already good rules in place, but consolidation makes it easier to reason about.
https://help.ui.com/hc/en-us/articles/115010254227-UniFi-USG-Firewall-How-to-Disable-InterVLAN-Routing#option%202
Do this like you'd work on a pull request. Make a small change, confirm it works, then move on. For this task:
I should set up Nginx Reverse Proxy Manager. This will need a remote server to properly enable Let's Encrypt SSL.
The time has come to run my own VPN. WireGuard sounds nice:
https://www.paolotagliaferri.com/wireguard-vpn-tunnel-with-pfsense-ce-2-5-2-package/
May need to try out disabling the primary wifi card, or switching to the USB adapter
Will need a way to serial into the switch. This will be that way: https://www.ssh.com/academy/ssh/putty/linux
So it's nice having the rack close by, but also noisy. Might consider a new space to locate it, if the room isn't too dusty. It's close t the central A/C, so it'll never get hot.
Start capturing syslog traffic for the network on a Pi so we can consume it locally and remotely. Use these articles for a starting point and be mindful the SD card won't stand up to multiple writes like you're going to have with noisy log files.
https://www.dlford.io/managing-proxmox-how-to-home-lab-part-2/ has a lot of good resources for making sure Proxmox stays up to date and software does too.
Once pfSense is up and running, let's get the logs outsourced to Elastic and start reviewing them.
Consider if the logs are transmitted encrypted or clear text, whatever option you settle on.
Start blocking ad traffic from IoT devices using Pi-hole
Minibox.com sells a pretty solid PCEngines board that will more than handle what I want to do on a home network for roughly $300 plus shipping: https://www.mini-box.com/ALIX-APU-4D4-AMD-G-Series-GX-412TC
Once the SIEM and IDS are set up, it's time to start snooping around and play a little capture the flag on a private subnet. These articles ought to get me started:
APUs are solid, but the BIOS is older. Thankfully PCEngines offers an easy upgrade path:
https://teklager.se/en/knowledge-base/apu-bios-upgrade/
Since we're putting in Netdata in #50, might as well see what we can derive from it with better visualizations: https://www.youtube.com/watch?v=uimGcQVRaqI
It'll also be a chance to try out Portainer and Docker containers in a low-risk way.
Need to purchase the rack, tools, and cabling for setting up a new switch.
Proxmox doesn't allow promiscuous mode traffic on network bridges by default. The SIEM (ELK stack, Graylog) need this feature enabled to work properly. Found this article that seemed promising: https://monach.us/operations/sending-promisc-traffic-within-proxmox/
This will actually require me to mirror the OVS bridge in the regular Linux bridge when the time comes. The SIEM VM will live on the same bridge as pfSense and mirror the bridge with my offensive and vuln boxes.
Learn more about threat data when you're up and running with FileBeats: https://elastic.github.io/security-research/whitepapers/2021/07/01.threat-intel-filebeat-module/article/
Might be an alternative to pfSense, or something to noodle around with on the lab.
https://www.youtube.com/watch?v=7pvgKc3WdEg
I'm still not super clear what telemetry means, but watched a video about Open Telemetry last weekend and want to add it to the homelab for exploration.
This might be interesting as a way to track electricity usage as I add servers and equipment: https://grafana.com/blog/2021/04/15/learn-how-to-monitor-your-energy-use-at-home-with-a-raspberry-pi-grafana-and-prometheus/
A few things:
By running a server on a subdomain like research
or labs
I can try out Docker, Docker Swarm, and Portainer for orchestration in a relatively safe, low-cost way.
Found some really good articles on hardening:
Wireshark and pcap
seem to be the way to analyze traffic, at least getting started. Let's put it into practice.
I could always stick with the Cloudflare DNS (1.1.1.1) for redundancy, but it'd be cool to be completely in-house.
Suricata is next. Get it up and running, then start moving logs to Elastic for ingestion.
Punch down cable endpoints, build the rack, start provisioning the switch, running cable
It's time to move away from legacy domain registrar to a better one. Options include:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.