Reconnaissance — How Attackers Start
Before exploiting anything, attackers gather information. Reconnaissance is passive (watching publicly available data) or active (directly probing systems). Your public IP is being scanned by automated tools within minutes of coming online.
Passive recon (no direct contact): Shodan.io → search engine for internet-connected devices Censys.io → similar, more technical WHOIS / DNS lookups → domain ownership, MX records Certificate logs → crt.sh reveals all issued TLS certs for a domain Active recon (directly probing your systems): Port scanning → which ports are open? Service detection → what software + version is running? OS fingerprinting → what OS is the target running? What attackers see about your homelab: nmap -sV -O your.public.ip ← they run this, constantly
Port Scanning — What It Looks Like
Port scanning sends packets to a range of ports and observes responses. Open ports reveal running services. Banner grabbing reveals versions. Versions reveal known CVEs.
# What attackers run (and what you should run on your own systems): nmap -sV 192.168.1.120 # version detection nmap -sV -sC 192.168.1.120 # + default scripts nmap -p- 192.168.1.120 # all 65535 ports (slow) nmap -O 192.168.1.120 # OS fingerprint (needs root) # Quick scan (top 1000 ports, fast) nmap -T4 -F 192.168.1.0/24 What a result tells an attacker: 22/tcp open ssh OpenSSH 8.9 (Ubuntu) 80/tcp open http nginx 1.18.0 8006/tcp open ssl/commplex-main ← Proxmox web UI exposed!
ARP Spoofing & MITM
ARP (Address Resolution Protocol) maps IP addresses to MAC addresses on a LAN. It has no authentication — any device can claim to be any IP. Attackers exploit this to position themselves between two devices and intercept all traffic.
Normal ARP:
Device asks: "Who has 192.168.1.1? Tell 192.168.1.50"
Router replies: "192.168.1.1 is at aa:bb:cc:dd:ee:ff"
ARP Spoofing attack:
Attacker sends: "192.168.1.1 is at attacker:mac:addr" ← lie
Victim updates ARP cache, routes all traffic through attacker
Result: attacker sees all traffic between victim and router
even on HTTPS if TLS certificate pinning isn't enforced
Defenses:
Dynamic ARP Inspection (DAI) on managed switches
Static ARP entries for critical devices
Network segmentation — attackers must be on same VLAN
HTTPS with HSTS — encrypted even if interceptedDetecting Scanning on Your Network
Defenders can spot reconnaissance in logs. Patterns to look for: rapid connections to many ports, connection attempts to closed ports, many failed auth attempts.
# Watch for SSH brute force in auth.log
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn
# Who is currently connected?
ss -tnp
netstat -tnp
# Active connection attempts right now
watch -n2 "ss -tn state established"
# See who's been blocked by fail2ban
fail2ban-client status sshd
# Check for unexpected listening services
ss -tlnp → TCP listening
ss -ulnp → UDP listeningNetwork Segmentation as Defense
The strongest network defense isn't detection — it's containment. If an attacker compromises one device, segmentation prevents lateral movement to the rest of your homelab.
Without segmentation: IoT camera gets compromised → attacker can reach Proxmox, NAS, everything → full homelab exposed from one cheap device With segmentation (VLANs + firewall rules): IoT VLAN → can only reach internet, nothing internal Server VLAN → can reach management VLAN, not IoT Management VLAN → restricted to specific admin IPs Cloudflare Tunnel benefit: zero open inbound ports No port = no scan result = no attack vector from internet
≈·*•—[ A|S ]—•*·≈