Security

Securing a Home Lab: Enterprise Security Practices at Home

How I apply enterprise security practices to my home lab — from network segmentation and SIEM to vulnerability scanning and intrusion detection.

Frank Garofalo

22 Apr 2026 — 3 min read

Why Bother with Home Lab Security?

A home lab connected to the internet is a target. It has real services, real data, and real attack surface. Treating it like a production environment isn't paranoia — it's practice. Every security pattern I implement at home reinforces skills I use professionally.

Network Segmentation

VLANs separate traffic by trust level. A compromised IoT device shouldn't be able to reach my management interfaces:

VLAN Layout (simplified):
┌─────────────────────────────────────────┐
│ Management      - Infrastructure mgmt   │
│ Servers         - Docker, Proxmox VMs   │
│ Trusted Devices - Workstations, laptops │
│ IoT             - Smart home, cameras   │
│ Guest           - Isolated guest access │
│ Security        - IDS sensors, honeypot │
└─────────────────────────────────────────┘

Firewall rules enforce strict inter-VLAN policies. IoT devices can reach the internet but cannot initiate connections to any other VLAN. Management interfaces are only accessible from the trusted network.

Intrusion Detection & Prevention

Multiple layers of detection run simultaneously:

Tool	Role	How It Works
Suricata IDS	Network-level detection	Inspects mirrored traffic from the gateway via SPAN port
Wazuh SIEM	Host-level detection	Agents on every node — file integrity, log analysis, rootkit detection
CrowdSec	Collaborative blocking	Shares threat intelligence with global community, auto-blocks known bad actors
fail2ban	Service-level protection	Bans IPs after failed auth attempts on SSH, web services

Suricata Deep Dive

Suricata receives a copy of all network traffic via a SPAN/mirror port configured on the gateway. This passive deployment means it sees everything without being inline (no risk of breaking connectivity):

# Suricata configuration (key sections)
af-packet:
  - interface: eth0    # SPAN port receiving mirrored traffic
    cluster-type: cluster_flow
    defrag: yes

rule-files:
  - suricata.rules      # ET Open ruleset (auto-updated)
  - custom.rules        # Lab-specific detection rules

outputs:
  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve.json  # Parsed by Wazuh for correlation
      types:
        - alert
        - dns
        - tls
        - http

Wazuh SIEM

Wazuh agents run on every Proxmox node. They provide:

File Integrity Monitoring (FIM): Detects unauthorized changes to system files, configs, and binaries
Log Analysis: Parses syslog, auth logs, and application logs for suspicious patterns
Vulnerability Detection: Scans installed packages against CVE databases
Rootkit Detection: Periodic scans for known rootkit signatures and anomalous behavior
Compliance Monitoring: Checks against CIS benchmarks and custom baselines

<!-- Example Wazuh custom rule: Detect SSH brute force -->
<group name="ssh_brute_force">
  <rule id="100001" level="10" frequency="5" timeframe="60">
    <if_matched_sid>5710</if_matched_sid>
    <description>SSH brute force detected (5+ failures in 60s)</description>
    <group>authentication_failures,</group>
  </rule>
</group>

Vulnerability Scanning

Two tools provide overlapping coverage:

Greenbone/OpenVAS: Network vulnerability scanner — weekly scans of all hosts, checks for misconfigurations, open ports, and known CVEs
Trivy: Container image scanner — weekly cron scans all Docker images for vulnerable packages, misconfigured Dockerfiles, and embedded secrets

# Trivy scanning all running container images
for image in $(docker ps --format '{{.Image}}' | sort -u); do
  echo "Scanning: $image"
  trivy image --severity HIGH,CRITICAL "$image"
done

Access Control

Defense in depth for authentication and access:

SSH hardened: Key-only authentication, no root login, AllowUsers whitelist, rate limiting via MaxStartups
Reverse proxy: All external services behind Nginx Proxy Manager with SSL termination — no direct port exposure
Authentik SSO: Single sign-on gateway for web applications with MFA enforcement
Vaultwarden: Self-hosted password manager for service credentials

Security Monitoring

The security stack feeds into the same Grafana instance as infrastructure monitoring. Dedicated dashboards show:

Wazuh alert trends over time (spikes = investigate immediately)
Suricata top alerts by signature and source
Failed authentication attempts by service and source IP
CrowdSec ban activity and threat intelligence hits
Certificate expiry countdown (nothing breaks silently)

Lessons Learned

Layer everything. No single tool catches everything. Network IDS + host agents + container scanning = comprehensive coverage.
Automate scanning. Manual security checks don't happen. Cron jobs do. Schedule everything.
Monitor your security tools. A Wazuh agent that stopped reporting 3 weeks ago is worse than no agent — it gives false confidence.
Segment aggressively. The IoT VLAN has no business talking to the management network. Zero trust isn't just a buzzword.
Practice incident response. When Suricata fires a critical alert, do you know what to do? Write runbooks before you need them.
Keep it updated. The best firewall rules in the world don't help if you're running a 2-year-old kernel with known exploits.

Home lab security isn't about being paranoid — it's about building habits. Every pattern I implement here is one I can confidently recommend to customers. The lab is the proving ground.