Building a Security-Focused Homelab: Lessons from Week One

Starting my homelab journey has been more rewarding than I expected. After researching budget options, I settled on a Dell OptiPlex 7070 with 16GB of RAM, 256GB of storage, and an Intel i5 8500T. It’s not the most powerful machine on the market, but it’s proven more than adequate for my needs.

The Setup

I installed Proxmox as my hypervisor and spun up several virtual machines to create a functional security testing environment:

• A Domain Controller for Active Directory practice
• Wazuh for endpoint monitoring and log analysis
• Pi-hole for network-wide ad blocking
• REMnux for malware analysis work

Surprisingly, the OptiPlex has handled this entire stack without breaking a sweat. The i5 8500T may be a few generations old, but it’s managing multiple concurrent VMs with no performance issues.

Early Observations

Wazuh has been the most interesting component so far. I’ve deployed agents across all my home devices and VMs, and started ingesting Apache logs from this website. The site sits behind a Cloudflare proxy, so unfortunately the original source IPs don’t make it through. Even with that limitation, it’s fascinating to watch the constant background noise of the internet. Automated scanners probing for vulnerabilities, testing common exploit paths, and generally knocking on every door they can find.

Here’s a typical example of what I’m seeing in the logs:

1

172.68.0.143 - - [22/Oct/2025:17:51:38 +0000] "GET //site/wp-includes/wlwmanifest.xml HTTP/1.1" 404 518 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36"

This scanner is looking for WordPress files that don’t exist on my site. The double slash in the path and the request for wlwmanifest.xml (a WordPress-specific file) are clear indicators of automated reconnaissance. These types of requests come in constantly, probing for outdated CMS installations and known vulnerabilities.

Part of me wants to spin up a honeypot SSH server and feed those logs into Wazuh just to watch the authentication failures roll in. It would be a great way to observe attack patterns in real-time.

What’s Next

This is just the beginning. I’m planning to expand the lab with additional monitoring tools and create isolated networks for safer malware analysis. The goal is to build an environment where I can safely test detection capabilities and practice incident response in a controlled setting.

If you’re considering starting your own homelab, my advice is simple: start small and grow as you learn. You don’t need enterprise-grade hardware to build something useful.

Resources to Get You Started

If this post has you thinking about building your own security homelab, here are some excellent guides from 2025:

1. Home Lab Security: 5 Threats You’re Not Watching (Virtualization Howto, April 2025) - A comprehensive look at modern homelab security threats, including misconfigured reverse proxies, container vulnerabilities, and weak access controls.

2. A beginner’s guide to setting up Proxmox (XDA Developers, October 2024) - A detailed walkthrough covering Proxmox installation, from creating bootable USB drives to setting up your first virtual machines.

3. Ultimate Proxmox Setup Guide 2025 (Geeky Gadgets, 2025) - Covers post-installation configuration, ZFS storage setup, GPU passthrough, and remote access options.