SecMark - Posts

Publish my Homelab to the Internet?

by Markus on 23-06-2026

The issue

For some time I've been extremely hesitant to publish my home lab into the internet so that I'll be able to access resources, don't get me wrong, I've really wanted to, and even few times opened it before I had the most current lab setup.

 

Some might ask, why not setup a VPN connection into the network, that way you can access it securely. Well even with VPN, you would be publishing the VPN gateway to the internet so that you'll be able to authenticate yourself. Knowing how much VPN gateways have been in the crosshairs of both cyber criminals and nation state actors, I really don't want to accept the associated risks in doing so. 

 

 

The Solution

Secure Access Service Edge / Zero Trust Network Access

The solution would be to onboard a more modern solution that can work as the zero trust network boundary that will control the network authentication and authorization layer into my network assets, so that the firewall can then only be there to function as a second structural border on what the connector server itself can access. and thus working as the next natural step in the defense in depth design.

 

Twingate

There are lots of great tools available from multiple different vendors to get this done, to name a few: Palo Alto Prisma Access, Zscaler Zero Trust Exchange, Microsoft Global Secure Access.

I ended up selecting Twingate for my home lab.
Why you might ask? Well ít had all the required capabilities for managing groups, users, resources, you name it, and it is free for home use. 

 

Identity and Access Management

I already have a Microsoft environment for this site, emails, ddossiamonitor, and other testing. So it is the optimal solution for ensuring that I have also the identity provisioning and logging available. 

 

When I first signed up into the platform, it enabled me to run through the basic enterprise application consent process to onboard it into my tenant. So it was pretty streamlined on the Twingate admin portal to actually onboard it. You just basically click "Add identity Provider" and it will pretty nicely run you through the process, I of course already had the app from my sign-up so only thing left to do was additional identity for the wife and app provisioning.

 

Microsoft and Twingate have good documentation also available on the process:
Microsoft (LINK)
Twingate (LINK)

 

On the Twingate side then it was just creating the appropriate groups and access restrictions to assets. For everyone I added access to our fileshare so we can access it from any device while away. and for privileged users(me) access to few internal admin portals. 

 

Final words

For anyone having a home lab and not wanting to publish internal resources into the internet through traditional means, I highly recommend getting your hands on some type of SASE solution that can handle this for your own needs.

 

 

 

 




Homelab

by Markus on 10-06-2026

I finally decided to write something about my home lab and what I actually have running in my home. I had previously indeed made a post that I had done documentation, but this was just more for internal record keeping in case I forget something 😁

High Level Description

My home network generally consist of two segments which are separated from each other via firewall, there is the basic consumer home network side which has a pretty standard plug and play setup for wifi appliances like mobile devices, camera, smart TV, robot vacuum etc IOT devices. And then there is my more secure segment, which has separated network zones for servers, PC, management laptop, work laptop, and other things which one would like to have behind a firewall.

Basic idea for my home lab was to create myself a more secure environment for fooling around and testing security tools, practice setting up the networks, have useful servers for the home, design and document the process and it's components, and testing anything that might pop into my head. 


Diagram
Network Diagram


Device Assets

DNS

Raspberry Pi 4 Model B

DNS Server is a which has a pretty basic PiHole configuration running on it, so blocking ADs and providing DNS services, using Cloudflare as the upstream DNS Servers.
Additionally hosts a local internal DNS zone for secmark.fyi to make server assets more readily available.

SIEM Server

Old ass HP Pavilion p6240sc

This old hunk of junk is from like 2009 and rocking Phenom 2. Got it from my mom in case I had any use for it and it actually ended up being in my junk corner for a good amount of time. UNTIL. I decided that I want to build a SIEM server.
So now it is rocking an ubuntu server with Elastic, the original RAM as you might imagine made the entire server reeeally slow, so I bought few extra 8 GB sticks from some local guy selling them in the internet, and now it is responsive.
One might think that no way this old machine is able to run Elastic, yeah well, doesn't even get close to minimum requirements listed on their website, but seems to be running just fine in this small environment.
The original hard drive however did get busted during April fools day... so I had to spend couple of days recovering the data and building the logical volumes into the new disk manually... it was way past using any cloning tools, trust me, I tried.

The SIEM itself currently is ingesting logs from the firewall, my PC (Elastic Security Client), DNS and next in turn would be the NAS logs.
I've enabled a good number of built-in rules in the Elastic Security and created a few myself to have some level of baseline alerting capability in place. So far only two security incidents raised, both benign.

This server is additionally running the DDoSsia Monitor tool alerting service. https://github.com/secmark-tools/secmark-DDoSsiaMonitor

Specs:
AMD Phenom(tm) II X4 810
16 GB RAM (DDR3)
500GB LVM (Some old Seagate)
Ubuntu Server


TrueNAS SCALE

Custom Server built from old parts

With all the cloud storage solutions like Google Drive, Microsoft OneDrive etc. costing like 100 € per year, I've long considered building a NAS server just to get a place for all my memories without having the risk of losing all of them if a payment fails and I miss a reminder email, or some other similar stupid reason.
Earlier when I found out that I'm getting a baby, it was the final trigger for me to get it sorted, so I spent months looking for good deals on WD red drives and stacking them on my table for setting up a raid setup, ensuring redundancy for all the data. So now I have few TB of storage of which I've so far used 0.9 %, after filtering out all the blurry and bad pictures I've taken over the years. Some of them still on old phones, but all in due time 😁.
Still three disks sitting on the background in case I need to expand the storage, or if a disk fails and I need to replace one.

Specs:
i7-2600K
12 GB RAM (DDR3)
500GB OS Disk (some old Seagate I had laying around)
3 TB (RAID 1)
TrueNAS SCALE


My haxxxor laptop

MSI GL62 6QD

Using this as a management device for setting up all the firewall rules, or if outside of the management network I use it for bughunting and stuff like that.


PC

Acer Nitro N50-650

Yeah, I haven't bothered to build my past two PCs, such good Black Friday sales 😂. I use this for accessing the SIEM server and doing some small virtualization projects, I have few CTF machines and a Spiderfoot server.

 


Network Devices

Sorry keeping this section a bit shorter, don't want to give too much out 😉

 

WAN Routers

Huawei + ZTE((B)(BU) & Valoo WIFI Mesh + Nokia(B)

Basically the WAN routers on the edge of my home network, pretty basic DHCP & DNS setup for regular devices in that network. No port triggers/forwards in place.

 

Firewall

Zywall

Got one for an excellent price and wanted a firewall for this lab so a great choice with all requirements I needed.

 

Switch

Netgear

Needed the possibility of having few extra ports available for this firewall zone for when I extend my server inventory or if I have a small LAN party with a friend or two.

 


Networking

When it comes to the home network segment everything is really relaxed, but one the more secure side on the firewall I've planned everything a bit more strict.

I've started creating everything from scratch starting with a deny all catch at the bottom.
Idea is that DNS and NAS can be accessed more freely as core services in their respective network ports, while preventing other discussions between the network zones. and only allowing management accesses to management interfaces (HTTP/S and SSH) from management devices of the specific server assets.

Why not everything behind the firewall & Threats?

I have a SIEM behind the firewall and I'm logging a good number of things happening on the servers and network, so to keep the answer short and simple, I respect the privacy of my family members and guests enough not to log their activities when they are using the internet and internal services within the house.
Main priority being to have myself a separate more secured network area, and since I'm not publishing anything directly to the internet I feel that the router firewall is sufficient for the home network and a firewall for my network is more than sufficient security layer.

Main threat is missing visibility for home network in case an IOT device or a mobile device is breached, so I will not have immediate knowledge if an asset in the home segment is breached, but this is mitigated by separate security monitoring rules identifying unexpected traffic at the firewall in case breach attempts were attempted from the home network towards the firewall or assets behind it, so I'll at least be aware if post initial access lateral movements were to happen towards the more protected assets.


What next?

I have one motherboard on the shelf waiting for a stock cooler and a cheap hard drive and I'll spin up a Proxmox server for my virtualization projects so I don't have to keep playing with them on the PC.

Bringing some of the IOT devices from the home network into a separate zone behind the firewall.




Basics of Reporting Vulnerabilities incl. Report Template

by Markus on 22-02-2025

When I was first starting bug hunting it was fairly unclear still what you should include into your vulnerability reports, especially if you don't have a reporting platform with required* fields.

I've been doing this on/off for some time now and I decided to create a template for reporting these if you end up filing these via email.

 

First things first, most companies actually have public facing emails (pr, press, contact etc.) and contact forms that can be useful to initiate first contact.
It is recommended that you don't send a report directly using these unless you know you reach the right people, as in some cases these might be some 3rd party customer support team somewhere down the supply chain, without direct contact to your actual customers security team, but let them know that you've found a vulnerability with rating X and that you'd like to have contact for, or be contacted by the information security team.
Getting through these channels can take number of days to weeks, usually just days, patience is a virtue.

 

When you have the right person on the line, you should send the report. BUT due note, if you have a super critical RCE or SQLi vulnerability that may affect a large number personal data, it is also worth considering using asymmetric encryption algoritms to protect the email communications, but I will not cover this here.

 

Please remove Example details from the report below before using 😅

 

TEMPLATE:
Vulnerability Type(s):

[List any vulnerabilities that may be connected to this single vulnerability, this can be basically contain anything from misconfiguration or an open redirect to an RCE]

 

Vulnerable Assets:

[List Assets here, this list could contain anything from indivual URLs to installed server components affected]

https://example.com/webshop/checkout-cancel?redirect=

 

Description:

[Explain the vulnerabilities and their impact in DETAIL and explain the path you took to reach that vulnerability, this portion can be long and should be well centered around the problems(s) found.]

I was doing shopping on your website, I was about to checkout but remembered another product which I still needed to add to my cart so I cancelled the process, while doing so I noticed that you were doing a redirect on the cancel button.

I decided to test putting random URLs after the redirect and it seems that it allows redirection to any URL.

 

POC Exploit:

[I Exploit available. Ask how the customer prefers these to be delivered, attaching a zip or a script file to an email may just end up in quarantine]

I will not be providing an exploit for this vulnerability as it is easy for you to reproduce, instead I'll write an example attack scenario:

  1. Domain exampie.com is currently free and can be typosquatted (social engineering)
  2. Set up email records for this domain and generate example rewards template for your webshop showing them that they've been rewarded product X, I'll get this template and the product details directly from your previous marketing campaign emails from date: xx.xx.xxxx (social engineering)
  3. Setup a copy website of your login page to gather users credentials (phish)
  4. On login, forward them to a form for shipping details (phish)
  5. After shipping details forward to a postage details asking for credit card details (phish)

 

Attacker will walk out with: Username, Password, Home Address, Creditcard


Recommended Remediation Options:

[Add here X number of examples on how this should and could be fixed detailing possible dendencies or affected components if known.]

It is recommended that any redirection functions operate with separate Allow lists to fulfill operational needs. [if you have idenfied their web framework you can give articles here]

 

[Additional Notes]

 

Hope to hear from you in the near future 😊

 

[Signature]




Azure Web App: Handling Files with SSH

by Markus on 09-02-2025

As I was deploying this application, the only concern for me was how to actually handle deployment of patches as my database is inside the application container itself, which you cannot access via Kudu. And any further deployments would just override all database contents.

1) Open Azure Cloud shell in Windows Terminal application, it is a built in component so no need for installs


2) Authenticate to your tenant using Device login and selecting your tenant by selecing the desired tenant number


3) When the shell opens insert the following command 
az webapp create-remote-connection --subscription [SubscriptionID] --resource-group [ResourcegroupName] -n [AppName] &


4) This will open a tunneled SSH connection to the webapp resource, after tunnel is open, you can use the same shell to ssh


5) During the SSH negotiation you may run into similar MAC error, just define it in the ssh command. After this you'll be prompted for the root password which is "Docker!"


Now when you are inside the docker / your websites actual active directory, you can confirm this by just running the "ls" command.


To make a copy of your database you'll just need to run "cp database.db /home/" and the file will be copied to your Kudu home, which you can then access directly with your browser using your default domain name:
https://.scm..azurewebsites.net/newui/fileManager
Ex: https://examplewebapp.scm.westeurope-01.azurewebsites.net/newui/fileManager

 

Now you can make a copy of into your dev and proceed with what ever update or patch you might be running. 

 

Hope this helped!




Finally Got This Site Hosted!

by Markus on 19-01-2025

Hello World! (sorry)

It was approximately 8 months ago when I started coding this website, and after couple of weeks of hitting my face into a wall with CSS, I was done and ready to move into TESTing. I went digging through my PC graveyard and found a nice one for a testing server, something in the terms of Athlon X4 with 4 GB DDR2.

 


The Framework and DEV

 

Although I've been programming here and there for years, it has been limited to Python, so I was pretty much only left with two options, Django or Flask.
I had done a Django site for a job interview close to 9 years ago and struggling with lack of documentation and knowing the scale of website I was planning on building I naturally leaned towards Flask.

 

Knowing it had been close to a decade since the last one, I decided to start by looking for a suitable tutorial, fortunately Flask themselves provided one:
https://flask.palletsprojects.com/en/stable/tutorial/
Following this tutorial I ended up getting to a point where I could actually start altering the code to my individual needs by expanding and adjusting the database, including other modules and improving the functions to further adjust the stability, and create new ones to implement additional functionalities. Pretty much recreating the entire thing block by block.

 

After this started my couple day struggle with CSS... we don't talk about that, please don't look.
And we were done with DEV.

 


The TEST struggle.

 

This being the first time pushing a website to prod I struggled alot, I ended up spending several hours even reading documentations of different possibilities to evaluate what I should actually go with.
Ended up going with nginx->Gunicorn reverse proxy setup.
https://flask.palletsprojects.com/en/stable/deploying/

 

Installing the servers and migrating the data was the easy part, then came the struggle of actual debugging. Due to immense amount of bad writeups and outdated documentation, actually configuring the servers took hours, I really got sick and tired of pointing of IPs and ports, and configuring domain names, and custom writing some cfg files, and making uneducated judgements on outdated documentation on how the implementation should actually be done on my environment, etc., I truly hope I don't have to do this again in a really long time.

 

But after a while I was actually able to get my server up and running in the internet.

 


How to PROD?

 

Actually getting here took that 8 months or so, ignoring the obvious procrastination it took me some consideration on what the approach would be, of course I could host this at home, but at what price? Considering that my wife and I both work from home and with sensitive materials I would need to properly segregate the networks and the price tag of additional non-EOL network hardware on top of my existing consumer level setup would be in four digits, not even considering the electricity and other implicit costs related to hardware maitenance.
Picture of my home network for reference so you get the gist:

Here comes to procrastination, just having to struggle with the TEST deployment I was expecting as much when it comes to cloud deployments, but after several months I finally decided to start looking at deploying. Being already familiar with Microsoft Azure I didn't really even evaluate other options.
After watching a few videos of how people had deployed Flask to Azure it immediately raised a few concerns in my mind, primarily the project structure. My current structure was something like this(obviously a rough example):
Flask Project Root> tree
.
|____venv
|____DB
||____database
|____Appfiles
||____Static
|||____site.css
||____Sitehtml
|||____index.html
||____BackendCodeX.py
||____BackendCodeY.py
||____BackendCodeZ.py
||____schema
|____requirements.txt
|____x.toml

What these videos had in common was that all the files required for the application deployment resided in the same structure, in comparison to mine where some of the other required directories were in the Project root.
Even with this in mind I decided to just set up the App Services web app and deploy via VSCode, immediately ran into an error with "--no-dev" parameter and first googling of the error took me to Microsoft's github issues section https://github.com/microsoft/Oryx/issues/2557 :
"Update: The rollout is progressing smoothly, and if everything continues on track, we should be able to complete it across all regions and clouds by early January 21st."
This was actually fixed in my situation by actually properly building the requirements.txt file, which I had accidentally forgotten.

 

Second deployment attempt was all green, but for some reason the azurewebsites URL still took me to the default page, something weird going on here, after reading through the logs I found "No framework detected; using default app from /opt/defaultsite" which lead me to a long Googling rampage and eventually found that the most common reason is missing "gunicorn" in the requirements.txt, this is of course even "mentioned" in the Flask deployment link above "You’ll probably need to Tell Flask it is Behind a Proxy when using most hosting platforms.", of course which I hadn't even visited before starting the writing of this article.

Yet I was still getting the same "No framework detected;" error, I tried random deployments in different orders and structures until I eventually just stopped to breath and read and analyze documentation.

 

 

THE FIX


I made a totally new folder and cloned the Microsoft's sample site and deployed it: https://github.com/Azure-Samples/msdocs-python-flask-webapp-quickstart
Everything worked great and deployment logs showed that Flask framework was detected

 

 

THE ROOT CAUSE (suspected)


if __name__ == '__main__':
   app.run()

After analysing the codes side by side the only difference was that I didn't have this kind of standard run statement, during earlier debugging I even read that someone had to remove this as Microsoft was doing it automatically and was causing errors in code.
My code basically just returned the app from __init__.py never calling run. 

 

So I ended up scrapping the Microsoft Samples files leaving only the main app file, and carefully replacing it contents with the stuff inside my __init__ file while also ensuring that the app object can still be called by the app.run() method.
After this I decided that I'll do a test deployment knowing that the code itself won't work, just to ensure that the framework detection still works, and it was all green!

 

Next I spent a good amount of time just reading through all the project files and fixing any module calls and directory refenrences to their current logical paths where they'd reside in after deployment.
And after a few failed deployments and errors caused by the DB connections or paths I finally saw the site deployed! WOOP WOOP! 

 

Now the hard part was done!

 

Only thing I ended up having still issues with was the SSL certificates for this custom domain, due to me doing DEV on a Windows I didn't have simple access to openssl and had to do additional installations to do conversion of the private key and cert file to a PFX cert for Azure and I was in business!

 

Now the only thing I need to worry about is that within this 8 months, I've done some updates directly on the TEST, while I did the deployment from the DEV code, we'll I guess I'll run into something eventually  if that's the case :D

 

If you got this far, thank you for reading! If you have any questions please hit me up in Bluesky or via email and I'll happily answer.
 




Credits:

User-interface icons created by Rizki Ahmad Fauzi - Flaticon