This Is How I Spend My Time

A Blog About Self-Imposed IT Projects and Tech Exploration

Page 3 of 3

Trying Something New – Install Proxmox and Configure a Cluster

I have never used Proxmox before for virtual machines. I was prepared to use VMWare ESXi for this project, but was looking for an option that would allow me to use features only available using vSphere which comes with a cost. After doing some research I ran across Proxmox. I was ready to try something new, and Proxmox offered all of the features I was looking for. So, I figured I would test it out on this build. The steps below walk through how to install Proxmox and configure a cluster.

Prerequisite: Creating a New Home Hacking Lab with Proxmox

Installing Proxmox and Configuring a Cluster

I installed Proxmox by downloading the ISO and imaging a USB drive. From there it was a simple process of booting the servers to the USB and installing Proxmox. As mentioned in the design, I placed these devices on a separate segment of my home network and assigned the IP range 172.16.1.0/24. Each host was assigned a hostname and IP:

  • vmhost1 – 172.16.1.10
  • vmhost2 – 172.16.1.11
  • vmhost3 – 172.16.1.12

After I installed Proxmox, I logged into each host using the web interface: https://[host IP address]:8006. From here I could configure a cluster so I could access all of the machines from a single interface and take advantage of features like VM migration and software defined networking. Creating a cluster in Proxmox is pretty straightforward. You create the cluster and then get the join information and use it to join the other hosts. Here is a picture of my cluster after all the machines were joined.

Screenshot of Proxmox cluster with three hosts, node ID, and IP address. Cluster name is LabNetwork.
Lab Network Proxmox cluster

After the creating the cluster, logging in to any host will give you a Datacenter view with all of your cluster hosts.

Proxmox datacenter view with three virtual hosts and datacenter summary showing a good cluster status.
Lab Network Proxmox datacenter view

Uploading the ISO images

After configuring the cluster, I need to upload the ISO images for each of the servers and workstations. This is a time consuming process, but part of the preparation. I uploaded all of the images I needed to the local storage on each of the hosts.

View of ISO images section of the local storage on vmhost1.
ISO images view on vmhost1

Here are the links to get all of the images I used:

That’s it, it doesn’t take much to install Proxmox and configure a cluster. Now that I have the software images uploaded, I am ready to configure software defined networking to allow me to segment the network.

Creating a New Home Hacking Lab with Proxmox

Sadly, my plans with my budget private cloud did not work out. Long story short, I moved internationally twice since I initially made plans to build that cloud. The first move was to Japan, and the second to Italy. Through each of those moves I lost two servers. On the upside, I have plans for the remaining three servers: a better home hacking and lab using Proxmox.

Designing a new hacking lab with Proxmox for learning and new courses.

After taking a year off I am back to making Pluralsight courses. I recently published Security Onion Basic Concepts and Functionality. I am currently working on a new course: Command and Control with Sliver. While creating the new course, I decided that I needed a better lab to simulate an actual network and make use of the Globomantics domain. Globomantics is a fake company Pluralsight uses for demos. I decided to take some old servers I had from a previous project, drew up a design for a potential network, and got to work. The design I came up with is below.

Hacking lab design in Proxmox. External network, firewall, DMZ, and internal network.
Proxmox hacking lab design

The design includes a firewall with separate internal and DMZ networks. The DMZ contains a vulnerable web server from VulnHub, a DNS server using Pi-Hole, and an email server running iRedMail. The DMZ is used because I want to keep the vulnerable hosts separate from the internal network. The internal network is a Microsoft Active Directory domain with a few workstations and a file server. I included one Ubuntu workstation as well that is joined to the domain. For security I have a firewall running pfsense and a Security Onion server acting as an IDS and SIEM.

On the external side I have a Kali Linux VM that is my main workstation for hacking, along with a phishing LXC running Gophish. I also have another Pi-Hole DNS server running that the internal network forwards requests to. This allows me to configure DNS records for fake websites without having to register actual domains.

Available Equipment for Home Lab

The three servers I have left are:

  • VMhost1: Dell Poweredge R610
    • 2x 6 core Intel Xeon processors
    • 16 GB RAM
    • 600 GB HDD
  • VMhost2: Dell Poweredge R610
    • 2x 6 core Intel Xeon processors
    • 16 GB RAM
    • 600 GB HDD
  • VMhost3: Dell Poweredge R510
    • 2x 6 core Intel Xeon processors
    • 16 GB RAM
    • 1.8 TB HDD

The biggest issue I will face is the available RAM with the amount of machines I plan to run. So, I will make use of Linux Containers (LXC) where possible to reduce the resources required for particular services. I should be able to use an LXC for DNS, email, and the phishing server because these services use fewer resources.

Additional Considerations for Network and Proxmox

  1. I am building this on a separate segment of my home network. It will remain behind a firewall, and none of the vulnerable machines will be exposed to the Internet.
  2. I am using Proxmox as the virtualization software because it is free and allows me to use features like software defined networking, clusters for management, and VM migration between hosts.
  3. I have limits on host performance due to using very old equipment. I will likely need to build a new host in the future to improve performance and reduce power consumption in the long term.

Ready to Build the Home Hacking Lab with Proxmox

For this build I am going to create posts about each step that serve as a guide for anyone looking to build something similar. The first post in that series will show the VMhost cluster and cover software defined networking installation.

Embarking on a New Venture: Creating a Private Cloud with Openstack For Under $1700

I have two business ideas to explore, and I decided that now is a good time to take the plunge and create a prototype. My hesitation throughout the last year of was due to the time and financial investment required. After some inspiration, detailed thought, and self-evaluation, I am ready to go for it. Worst case scenario, this is going to eat up a lot of my time. Even if I lose time, I will learn a lot about cloud infrastructure, cloud networking, and cloud instance provisioning. My first business idea is in the realm of home and small business network cyber security. The second utilizes a private cloud platform to provision labs for IT and cyber security training. A small virtual lab isn’t going to cut it for these ventures.

My Current Setup

Before I can pursue these builds, I need to upgrade my home network and lab and select a platform. I currently have 3 old used servers (2 Dell PowerEdge R510s and an HP Proliant DL360) for the cloud. For networking, I have ancient Cisco switch. I think I can get by with the old switch for now, but my a small private cloud requires more servers. I can use the private cloud to provision networks to test out capabilities, learn, and design. These can also hold prototypes and proof of concepts for demonstrations. For the private cloud I selected Openstack as my platform. This will allow me to provision instances using Terraform, and have more flexibility with networking configuration. I can also avoid a large AWS and Azure bill while I experiment with different configurations. The only thing that will suffer is my power bill 😊.

Dell R510s and Cisco 3560 in my basement
These are my Dell R510s and Cisco 3560, forgive the mess, straightening this out is part of the project.

Project Goals

Based on the Open Stack documentation I will need at least 4-5 servers to support my configuration which is a small compute cloud. To use Juju and Metal as a Service (MAAS) to deploy the cloud I will need 2 more servers, but I could probably use one of my servers and host 2 VMs instead of purchasing another server.  I haven’t yet decided whether I am going to use Juju and MAAS to deploy Openstack, but I do know that I need at least 2 more servers for my project. I also want to separate my private cloud from the rest of my network and still maintain network performance with the added security, so I will need a firewall / IPS appliance. Once complete, my home network will look something like this:

Home network diagram with Openstack private cloud in DMZ
The private cloud will be located on a DMZ allowing me to apply different security standards.

My Private Cloud Budget

I am trying to stay under $2,000 total for this project (including what I already spent). Below is the price I paid for everything I already have.

DeviceQtyUnit CostShippingTotal Cost
HP ProLiant DL3601$149.99$112.89$262.88
Dell PowerEdge R5102$238.99$75.00$552.98
Cisco Catalyst 35601$69.00$17.95$86.95
Total Cost$902.81
Existing devices with costs at time of purchase

So, based on that I have about $1100 to spend. Although I have plenty of room, I am sticking with used equipment. The only exception I am making is my firewall appliance.

Purchasing New Equipment

I was able to find 2 Dell PowerEdge R610s for $157 each, well within budget. My shipping costs to my location are really high, so I have to keep that in mind. Even with the shipping costs, I still consider these a bargain and they meet my needs. These servers also come from the same vendor as my previous purchases (PC Server and Parts), so I know they will arrive in good condition and operate well.

Dell PowerEdge R610 server

Next I need a firewall appliance, for this I am going straight to a vendor because their site is a lot cheaper than Amazon. This appliance from Protectli has 4 NICs, a quad core processor, and a small SSD. This is more than enough to run pfsense (and it was already tested for it), so it will easily meet my needs and be a step up from my current options for under $300.

Protectli Firewall Appliance

Total Costs

With those 2 purchases I have all the equipment I will need, and significantly under my max budget! The only other purchase I might make is a rack to store the equipment and a PDU. For now, I just have to wait for them to arrive. I plan to start sometime in December. While I wait, I am going to work on my remote access solutions, determine what IDS/IPS I am going to use (Suricata, Snort, or Bro), and finalize my design of how this will all fit together.

DeviceQtyUnit CostShippingTotal Cost
HP ProLiant DL3601$149.99$112.89$262.88
Dell PowerEdge R5102$238.99$75.00$552.98
Cisco Catalyst 35601$69.00$17.95$86.95
Protectli FW4B1$282.00$7.00$289.00
Dell PowerEdge R6102$156.99$111.00$424.98
Total Cost$1616.79
Existing devices with costs at time of purchase

Using Vagrant to Automate My Pluralsight Lab Builds

It’s time to automate my lab builds with Vagrant. I decided to try and complete 2 Pluralsight courses at the same time over the next 3 months, Suricata: Getting Started, and Scanning for Vulnerabilities with NSE. If you’ve watched any of my previous courses you know that I often do a basic walk through of the lab environment I use, and leave it to you if you want to replicate it.

I just want to say, I don’t like doing this. I apologize that up until now, I didn’t have a better solution. The reason for a brief explanation is due to time constraints. I don’t think anyone wants a 1+ hour walk through of a lab build. However, based on some of you that reached out, my current guide is not enough.

After a week of long nights after work, I have a solution that you can easily deploy using Vagrant. I created three vagrant boxes and stored them on the Vagrant cloud (https://app.vagrantup.com/mattglass). Then I wrote a Vagrant file that you can use to deploy the lab in Virtualbox. I also wrote a file to deploy each machine individually if you want. The machines download and come preconfigured to route between your LAN and an internal Virtualbox network. You just need to make some minor configuration changes to this file.

The Vagrantfile

If want to get started now, here is the file to deploy three machines:

# -*- mode: ruby -*-
# vi: set ft=ruby :

# This script deploys the network for Suricata: Getting Started in VirualBox

# IMPORTANT: If you want to automate as much as possible, you need to 
#   reconfigure the bridge to map to your interface name and the 
#   default gateways to your networks.


Vagrant.configure("2") do |config|
  config.vm.synced_folder '.', '/vagrant', disabled: true
  
  config.ssh.username = 'vagrant'
  config.ssh.password = 'vagrant'
  config.ssh.keys_only = false
  
  # Create Ubuntu Machine
  config.vm.define "ubuntu" do |ubuntu|
    ubuntu.vm.box = "mattglass/ubuntu18-PS"
	ubuntu.vm.box_version = "0.0.2"
    ubuntu.disksize.size = '30GB'

    # Modify the bridge name to match your interface
	ubuntu.vm.network "public_network", bridge: "Intel(R) Dual Band Wireless-AC 7260", 
	  auto_config: false
    ubuntu.vm.network "private_network", virtualbox__intnet: "LAN",
	  auto_config: false


    # Modify the default gateway here to match your network
	$script = <<-SCRIPT
	echo Configuring network routing and forwarding...
    iptables -t nat -D POSTROUTING 1
	route add default gw 192.168.1.1
	route delete default gw 10.0.2.2 dev enp0s3
	SCRIPT
	
	# Applies the script above
	ubuntu.vm.provision "shell", run: "always", inline: $script

	
	# Virtualbox settings
	ubuntu.vm.provider "virtualbox" do |vb|
	  vb.gui = true
	  vb.name = "Ubuntu 18.04"
	  vb.memory = "1024"
	  vb.cpus = "2"
    end
  end
  
  config.vm.define "meta2" do |meta2|
    meta2.vm.box = "mattglass/metasploitable2-PS"
    meta2.vm.box_version = "0.0.1"

    meta2.vm.network "private_network", virtualbox__intnet: "LAN", auto_config: false
	
	$script = <<-SCRIPT
	echo Configuring network routing and forwarding...
	route add default gw 10.0.0.251
	route delete default gw 10.0.2.2 dev eth0
	SCRIPT
	
	# Applies the script above
	meta2.vm.provision "shell", run: "always", inline: $script

    meta2.vm.provider "virtualbox" do |vb|
      vb.gui = true
      vb.memory = "512"
	  vb.cpus = "1"
	  vb.name = "Metasploitable 2"
    end
  end
  
  config.vm.define "meta3" do |meta3|
    meta3.vm.box = "rapid7/metasploitable3-ub1404"
	meta3.vm.box_version = "0.1.12-weekly"
	meta3.vm.hostname = "metasploitable3-ub1404"
	
	meta3.vm.network "private_network", ip: "10.0.0.101", virtualbox__intnet: "LAN"
	
	$script = <<-SCRIPT
	echo Configuring network routing and forwarding...
	route add default gw 10.0.0.251
	route delete default gw 10.0.2.2 dev eth0
	SCRIPT
	
	# Applies the script above
	meta3.vm.provision "shell", run: "always", inline: $script
	
	meta3.vm.provider "virtualbox" do |vb|
	  vb.name = "Metasploitable3-ub1404"
	  vb.memory = "2048"  
    end
  end
end

Vagrantfile Walkthrough

If you’re new to Vagrant, then you may benefit from a more detailed explanation of each of these parts and pieces. First, the beginning of the Vagrant file. This section contains comments describing function, purpose, and important notes. The first line initiates the build (Vagrant.configure…). This line begins all Vagrant files and identifies the “config” variable used in the next few lines.

# -*- mode: ruby -*-
# vi: set ft=ruby :

# This script deploys the network for Suricata: Getting Started in VirualBox

# IMPORTANT: If you want to automate as much as possible, you need to 
#   reconfigure the bridge to map to your interface name and the 
#   default gateways to your networks.


Vagrant.configure("2") do |config|

Next are some global settings that apply to all three machines. Each machine uses the default Vagrant credentials (vagrant/vagrant). All machines use username and password for authentication instead of the Vagrant SSH keys. Metasploitable 3 uses username and password, so I set all of the machines to use the same. As a result, my environment doesn’t operate like a typical Vagrant environment, but the machines run and operate as I intended.

  config.vm.synced_folder '.', '/vagrant', disabled: true
  
  config.ssh.username = 'vagrant'
  config.ssh.password = 'vagrant'
  config.ssh.keys_only = false

Now It Makes the VMs

After the global configuration options comes the Ubuntu machine that is acting as a router between the two networks. This allows you to control access to these vulnerable VMs (although the firewall is completely open initially). You can also simulate accessing these machines from the Internet. Ubuntu is the primary machine for Suricata: Getting Started.

The first block gets my Ubuntu image from the Vagrant cloud and resizes the disk to 30GB. The next section configures the machine with 2 additional interfaces set to a bridged network and an internal Virtualbox network called LAN. Vagrant automatically configures an interface set to NAT. This VM provisions with a script to remove that gateway and ensure traffic routes to my LAN. My initial box had NAT configured using iptables, but I decided to remove that using the iptables line in the script.

Finally, there are Virtualbox specific configurations that display the GUI on load, rename the machine, configure the amount of RAM (1GB), and assign the number of CPUs.

config.vm.define "ubuntu" do |ubuntu|
    ubuntu.vm.box = "mattglass/ubuntu18-PS"
	ubuntu.vm.box_version = "0.0.2"
    ubuntu.disksize.size = '30GB'

    # Modify the bridge name to match your interface
	ubuntu.vm.network "public_network", bridge: "Intel(R) Dual Band Wireless-AC 7260", 
	  auto_config: false
    ubuntu.vm.network "private_network", virtualbox__intnet: "LAN",
	  auto_config: false


    # Modify the default gateway here to match your network
	$script = <<-SCRIPT
	echo Configuring network routing and forwarding...
    iptables -t nat -D POSTROUTING 1
	route add default gw 192.168.1.1
	route delete default gw 10.0.2.2 dev enp0s3
	SCRIPT
	
	# Applies the script above
	ubuntu.vm.provision "shell", run: "always", inline: $script

	
	# Virtualbox settings
	ubuntu.vm.provider "virtualbox" do |vb|
	  vb.gui = true
	  vb.name = "Ubuntu 18.04"
	  vb.memory = "1024"
	  vb.cpus = "2"
    end
  end

Creating the other two…

The rest of the script follows the same pattern to deploy a Metasploitable 2 and Metasploitable 3 Ubuntu VM. The Metasploitable 2 VM is my first attempt at creating a Vagrant box from an existing VM. It’s not perfect, but it does work well enough, and I apologize in advance. Metasploitable 3 deploys directly from Rapid7’s Vagrant cloud. I made a couple of changes to networking to make it work from this internal network.

  config.vm.define "meta2" do |meta2|
    meta2.vm.box = "mattglass/metasploitable2-PS"
    meta2.vm.box_version = "0.0.1"

    meta2.vm.network "private_network", virtualbox__intnet: "LAN", auto_config: false
	
	$script = <<-SCRIPT
	echo Configuring network routing and forwarding...
	route add default gw 10.0.0.251
	route delete default gw 10.0.2.2 dev eth0
	SCRIPT
	
	# Applies the script above
	meta2.vm.provision "shell", run: "always", inline: $script

    meta2.vm.provider "virtualbox" do |vb|
      vb.gui = true
      vb.memory = "512"
	  vb.cpus = "1"
	  vb.name = "Metasploitable 2"
    end
  end
  
  config.vm.define "meta3" do |meta3|
    meta3.vm.box = "rapid7/metasploitable3-ub1404"
	meta3.vm.box_version = "0.1.12-weekly"
	meta3.vm.hostname = "metasploitable3-ub1404"
	
	meta3.vm.network "private_network", ip: "10.0.0.101", virtualbox__intnet: "LAN"
	
	$script = <<-SCRIPT
	echo Configuring network routing and forwarding...
	route add default gw 10.0.0.251
	route delete default gw 10.0.2.2 dev eth0
	SCRIPT
	
	# Applies the script above
	meta3.vm.provision "shell", run: "always", inline: $script
	
	meta3.vm.provider "virtualbox" do |vb|
	  vb.name = "Metasploitable3-ub1404"
	  vb.memory = "2048"  
    end
  end
end

Enjoy the script, and I look forward to your comments on my two new courses at the end of the year. As always, feedback on how this can be improved is welcome.

Welcome To My Blog

Hello, I am Matt Glass, an IT Project Manager at Leidos and a Pluralsight Author. My IT career began with my military service in 2008 where I was trained in the United States Marine Corps as a data network specialist. Throughout my 8 years in the Marines I was responsible for configuring network equipment, servers, and workstations in various locations around the world. This experience served as a solid foundation for my career, and I give most of the credit to my supervisors along the way (Steve Young, Marson Griffith, Jason DeGroote, and Chris Nash in particular) for pushing me to learn and grow.

I started contributing to Pluralsight as an author after leaving the Marine Corps in late 2016 to continue giving something back to the community. In the same spirit of giving something back, I decided to start this blog and an associated YouTube channel to expand on my education efforts and track the status of various projects for anyone who wants to follow along.

Each week I will upload a guide here to serve as a project update along with a video walk through to my YouTube channel. In addition, I will occasionally post an explanation of a particular network protocol, or server application to provide an understanding of how my projects are operating in the background. I will also share scripts to help automate tasks and streamline your operations outside of what I cover in each project.

My first project centers around a problem I experienced within my own home. I have a simple monitoring capability built in to my WiFi router that tracks my children’s activity (Circle, if you are familiar). While this does track most of their activity, I found the filtering capability is limited, and Circle cannot determine the difference between an app communicating and each of my children actively using the devices.

For my project, I want to accomplish the following:

  • Enhance this capability
  • Improve my home network security
  • Block traffic on a more granular level
  • Improve traffic analysis and distinguish between background traffic and active user traffic
  • Centralize logging from each device I use to accomplish these tasks
  • Block known malicious traffic
  • Block ads if possible
  • Keep the budget low (I am trying to do this using Raspberry PIs)

I will post another entry and video with my hardware selection, design, and explanation for my choices.

Newer posts »