Why Build a Home Lab?
You can't learn defensive security just by reading. You need traffic to analyze, alerts to triage, and systems to harden. A home lab gives you a safe space to do all of that.
Here's how to build one without spending much money.
Hardware Requirements
You don't need a rack server. A spare laptop or desktop with:
Or use cloud VMs — AWS Free Tier, Oracle Always Free, or DigitalOcean.
Core Stack
1. Hypervisor — VirtualBox (Free)
# Download from virtualbox.org
# Create separate VMs for each component
2. SIEM — Elastic Stack (ELK)
The most widely used open-source SIEM. Three components:
# Quick start with Docker
docker-compose up -d elasticsearch kibana logstash
3. IDS — Suricata
# Install on Ubuntu
sudo apt install suricata
# Update rules
sudo suricata-update
# Run on interface
sudo suricata -c /etc/suricata/suricata.yaml -i eth0
4. Log Shipper — Filebeat
Ships logs from endpoints to your SIEM.
# filebeat.yml
filebeat.inputs:
- type: log
paths:
- /var/log/auth.log
- /var/log/syslog
output.elasticsearch:
hosts: ["localhost:9200"]
Generating Malicious Traffic to Analyze
Use intentionally vulnerable VMs:
Run attacks from a Kali VM against these targets and watch the alerts appear in Kibana.
Detection Rules to Start With
# Suricata — detect Nmap SYN scan
alert tcp any any -> $HOME_NET any (msg:"Possible Nmap SYN Scan"; flags:S; threshold: type both, track by_src, count 20, seconds 2; sid:1000001;)
# Suricata — detect SSH brute force
alert tcp any any -> $HOME_NET 22 (msg:"SSH Brute Force Attempt"; threshold: type both, track by_src, count 5, seconds 60; sid:1000002;)
Learning Path with Your Lab
Resources
The best analysts have broken things themselves. Build it, break it, detect it.