This thread is for anyone working on personal projects to share their progress, and hold themselves somewhat accountable to a group of peers.
Post your project, your progress from last week, and what you hope to accomplish this week.
If you want to be pinged with a reminder asking about your project, let me know, and I'll harass you each week until you cancel the service
Jump in the discussion.
No email address required.
Notes -
Is asking questions about a potential project allowed here?
I want to setup a basic home networking/security lab. I have a bunch of old computers, and I have a few years of experience in IT and cybersecurity.
My goal is to have some stuff I can pentest and just generally mess around with to build my skills.
I think I’m just overwhelmed with the options and the different guides out there.
I have one of sorts.
I just frustrated my children with an Wi-fi outage while I finally vlan'd the wireless and configured the Starlink as a 2nd untrusted interface on the firewall / router.
More options
Context Copy link
A good starting-off reference point would be FUTO's guide to a self-managed home cloud setup here (though their wiki is down at the moment, so here's an archive). It's pretty comprehensive so you can kinda pick and choose the parts you actually want to implement.
Not that this really helps with paring down your options and such, but I figure it's well-structured enough that you'll have a relatively easy time parsing it.
"If your self-hosting tutorial brought you to this..."
More options
Context Copy link
More options
Context Copy link
It will probably come in helpful to equip one of those old computers with dual NICs so that you can experiment with different ways of managing network traffic.
More options
Context Copy link
One thing you'll need is a decent switch. You can usually pick up retired enterprise switches on eBay for not too much. But you'll want something that can at least handle a variety of VLAN configurations, so you can segment your testing networks and prevent things from talking to each other that should not be able to.
You might also want to consider beefing up one of the computers (or getting a retired server) with RAM and installing Proxmox, a free hypervisor for KVM/LXC. You can then set up a VM for docker containers, and VMs for various test systems or toolkits.
More options
Context Copy link
At the very basic end of things, it seems the easiest way to get started would be Docker or VMs. It's maybe a bit dated at this point, but when I took a CS course on security quite a while back, Google's Gruyere ("Swiss cheese, get it?") was a good toy target application, and there are a number of easily-searchable links for getting that running locally.
I don't directly work in pentesting, so I can't really point you at specific resources, but I think like most folks in tech I've at least had to see the other side of things ("security policy requires these changes"). The concern I'd have for you is that cybersecurity is a rabbit hole both wide and deep: I doubt there are many folks that truly understand all the details of cryptography and implementations (Debian SSH key generation, Heartbleed, Shellshock) and hardware implementation details (Spectre, Meltdown, Rowhammer), or any of a number of other relevant details (rubber hoses). If you just want to try out some fun SQL/JS injection attacks and browser development tools, Gruyere is probably a good starting point, but not being directly in the pentest side of the industry I can't speak to how useful those skills are these days given automated scanning tools for code. I can tell you that I'm pretty careful to sanitize my inputs.
More options
Context Copy link
Absolutely, plenty of people do it! Anything that will get you tinkering.
Sadly your question doesn't is outside of my expertise.
More options
Context Copy link
More options
Context Copy link