1copenut / homelab-learning Goto Github PK
View Code? Open in Web Editor NEWBuilding a homelab is hard work. I'm taking notes :)
License: MIT License
Building a homelab is hard work. I'm taking notes :)
License: MIT License
If I'm running Pi-hole for ad sinks, does it make sense to add a second, redundant Pi-hole server? Maybe it does. Considerations:
The time has come to run my own VPN. WireGuard sounds nice:
https://www.paolotagliaferri.com/wireguard-vpn-tunnel-with-pfsense-ce-2-5-2-package/
Found some really good articles on hardening:
Pi-hole still relies on an upstream DNS provider like Cloudflare (1.1.1.1) or Google (8.8.8.8) and maybe that's okay. Or maybe I want to be my own DNS server. Unbound might be one way to get there. Things to consider:
So now that the rack is up and running, it might be worth moving the homelab tower into a 2U or 3U 4U rack and stacking it.
Has to be a 4U to fit an ATX style power supply unit.
Not sure I'll ever get true 1GB throughput for the money I'm spending, but this guide makes it a whole lot better:
https://teklager.se/en/knowledge-base/apu2-1-gigabit-throughput-pfsense/
This video by Lawrence Systems has a great rundown of the basics to add:
https://www.youtube.com/watch?v=oOWjHeqbWUE
Punch down cable endpoints, build the rack, start provisioning the switch, running cable
Portswigger Academy has free courses for learning websec. I think it'd be good to start with the section on XSS cross-site scripting.
Might be an alternative to pfSense, or something to noodle around with on the lab.
https://www.youtube.com/watch?v=7pvgKc3WdEg
Proxmox doesn't allow promiscuous mode traffic on network bridges by default. The SIEM (ELK stack, Graylog) need this feature enabled to work properly. Found this article that seemed promising: https://monach.us/operations/sending-promisc-traffic-within-proxmox/
This will actually require me to mirror the OVS bridge in the regular Linux bridge when the time comes. The SIEM VM will live on the same bridge as pfSense and mirror the bridge with my offensive and vuln boxes.
Start capturing syslog traffic for the network on a Pi so we can consume it locally and remotely. Use these articles for a starting point and be mindful the SD card won't stand up to multiple writes like you're going to have with noisy log files.
Minibox.com sells a pretty solid PCEngines board that will more than handle what I want to do on a home network for roughly $300 plus shipping: https://www.mini-box.com/ALIX-APU-4D4-AMD-G-Series-GX-412TC
So it's nice having the rack close by, but also noisy. Might consider a new space to locate it, if the room isn't too dusty. It's close t the central A/C, so it'll never get hot.
https://www.dlford.io/managing-proxmox-how-to-home-lab-part-2/ has a lot of good resources for making sure Proxmox stays up to date and software does too.
Failing to plan is planning to fail. Diagram out your flow of traffic from firewall ports to switches, and how you might divide VLANs.
Consider things like:
May need to try out disabling the primary wifi card, or switching to the USB adapter
After talking to J last night, there's a ton of good stuff and should not be skipped. So...
Wireshark and pcap
seem to be the way to analyze traffic, at least getting started. Let's put it into practice.
You've learned a lot from this adventure. Let's write about it. If nothing else, it pushes you to get the website pushed to prod already. :)
It's time to move away from legacy domain registrar to a better one. Options include:
The fans were way too noisy to run in an office. So left a couple panels open for now and ordered new ones.
Learn more about threat data when you're up and running with FileBeats: https://elastic.github.io/security-research/whitepapers/2021/07/01.threat-intel-filebeat-module/article/
I should set up Nginx Reverse Proxy Manager. This will need a remote server to properly enable Let's Encrypt SSL.
Need to purchase the rack, tools, and cabling for setting up a new switch.
I could always stick with the Cloudflare DNS (1.1.1.1) for redundancy, but it'd be cool to be completely in-house.
By running a server on a subdomain like research
or labs
I can try out Docker, Docker Swarm, and Portainer for orchestration in a relatively safe, low-cost way.
Will need a way to serial into the switch. This will be that way: https://www.ssh.com/academy/ssh/putty/linux
Suricata is next. Get it up and running, then start moving logs to Elastic for ingestion.
Start blocking ad traffic from IoT devices using Pi-hole
Once pfSense is up and running, let's get the logs outsourced to Elastic and start reviewing them.
Consider if the logs are transmitted encrypted or clear text, whatever option you settle on.
Port scanning. It's a neutral activity, all in the intent. These seem like good starting points:
Once the SIEM and IDS are set up, it's time to start snooping around and play a little capture the flag on a private subnet. These articles ought to get me started:
Since we're putting in Netdata in #50, might as well see what we can derive from it with better visualizations: https://www.youtube.com/watch?v=uimGcQVRaqI
It'll also be a chance to try out Portainer and Docker containers in a low-risk way.
A few things:
There's already good rules in place, but consolidation makes it easier to reason about.
https://help.ui.com/hc/en-us/articles/115010254227-UniFi-USG-Firewall-How-to-Disable-InterVLAN-Routing#option%202
Do this like you'd work on a pull request. Make a small change, confirm it works, then move on. For this task:
Install the pfSense firewall on new APU hardware. Ensure you have installed it with ZFS--pfSense does not like power loss and ZFS is a better way to keep things running smoothly.
It's a fantastic monitoring tool, and looks easy to install! https://www.youtube.com/watch?v=fYl5poBJtE4
APUs are solid, but the BIOS is older. Thankfully PCEngines offers an easy upgrade path:
https://teklager.se/en/knowledge-base/apu-bios-upgrade/
This might be interesting as a way to track electricity usage as I add servers and equipment: https://grafana.com/blog/2021/04/15/learn-how-to-monitor-your-energy-use-at-home-with-a-raspberry-pi-grafana-and-prometheus/
I'm still not super clear what telemetry means, but watched a video about Open Telemetry last weekend and want to add it to the homelab for exploration.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.