Network security lab

Security isn’t just about what you study — it’s about what you practice. My homelab doubles as a security lab where I can run real tools against real infrastructure and observe what’s actually happening on the internet.

Vulnerability scanning

I run Nessus Essentials scans against my own network weekly. The first scan was humbling — Services with known CVE’s I hadn’t patched, and several services with unnecessarily broad network exposure. Running a scanner against your own infrastructure teaches you to actually read CVE advisories rather than dismissing them.

Firewall and DNS hardening

OPNsense is my router+firewall. The baseline configuration covers:

• VLAN segmentation: IoT, trusted devices, and servers on separate networks with firewall rules controlling inter-VLAN traffic
• Hagezi DNS blocklists (multi-pro level) configured in Unbound - drops ads, trackers, and known malware domains at the resolver
• IDS/IPS with Suricata and ET Open ruleset
• GeoIP blocking for inbound connections from high-risk regions

WireGuard VPN

A WireGuard server on OPNsense lets me connect back to my home network from anywhere. Configuration-wise, it’s minimal — WireGuard’s simplicity is its best feature. Every device gets a key pair; the VPN peer list is managed in OPNsense’s UI. Split tunneling routes only home-network traffic through the VPN, so remote work doesn’t slow down.

Cowrie honeypot

A Cowrie SSH honeypot runs on a Hetzner VPS with port 22 exposed to the internet. Within hours of deployment, it was receiving brute-force attempts. The logs are fascinating: common username lists, password sprays, and occasionally more sophisticated attempts that try commands after “successful” login.

I pipe the logs to a Grafana dashboard at home for visualization — attack source IPs, most common usernames tried, attempt frequency over time. It’s not research-grade threat intelligence, but it’s an excellent window into what automated scanners are actually doing out there.