[EN] Security Operation Center Setup

Author: Soner Sahin

2025-08-17

5 minute read

SOC , Virtualization , Windows , Linux , Firewall

Hi everyone! In this article, I will take you through my Security Operation Center environment on Hetzner, which is a German company that provides web hosting services and data centers.

I want to start by sharing my excitement with you.

I have been interested in IT for some time and have built several lab environments, ranging from small to large. After gaining experience, I wanted to build my own SOC environment to gain more real-life experience.

I have learned many things that have sharpened my knowledge significantly. I will maintain this project as long as possible and share my experiences with you by writing new articles about it. My aim here is to defend, gain experience, and learn new things as much as possible.

I’m writing this article as a guide for those who want to build their own lab environment and gain real-life experience.

I have been planning this project for some time, and after extensive research, I created a proper lab topology as you can see below.

Topology

SOC

Hetzner Dedicated Server

I will be using Hetzner as my cloud provider, which is among the best and has a solid, secure infrastructure with affordable costs.

I purchased the “EX44” model dedicated server, which is sufficient to build your own SOC if you don’t need a large one. In my case, it is more than adequate.

Here are the server model and its features.

SOC

Additional IP

I will install virtualization software on this dedicated server and then install a firewall solution on it. Therefore, I need 2 public IP addresses. I already have one that is included in the dedicated server price, but I need a second one for the firewall’s WAN side.

Here’s how to purchase an additional public IP address.

SOC

After purchasing the additional IP address, we need to separate their MAC addresses.

As you can see in the image below, there is a PC icon next to the additional IP address. Click that icon to separate the MAC addresses.

SOC

Proxmox Installation

Now, it’s time to install Proxmox on our server.

I’m including some articles below that will help you if you get stuck.

https://community.hetzner.com/tutorials/install-and-configure-proxmox_ve

https://medium.com/@artem_lajko/setup-ve-with-proxmox-on-hetzner-single-mode-6b76061efcdb

Here is how I did it.

Once the ordering process is complete, you will be sent the server information that will allow you to SSH. Keep the credentials safe.

SSH Connection

Connect to the server via SSH to install Proxmox.

SOC

1installimage

SOC

1SWRAIDLEVEL 0

Note: SWRAIDLEVEL 0 creates a striped RAID configuration without redundancy. This provides maximum performance but no fault tolerance. For production environments, consider using RAID 1 or RAID 5 for better data protection.

SOC

1HOSTNAME proxmox-soc.local

SOC

1IPV4_ONLY yes

SOC

Partitioning

SOC

Save and quit.

If everything is correct, you will be taken to a screen like the following.

SOC

Once the installation is complete, reboot the server and wait a couple of minutes.

Then navigate to your IP address and the relevant port for Proxmox, which is 8006 by default.

SOC

Here is Proxmox successfully installed.

Here you can upload the ISO images you plan to use.

SOC

Network Configuration

Here is the network configuration of my Proxmox server. I’ve created multiple network bridges to segment different network zones:

vmbr0: WAN interface (connected to the internet)
vmbr1: Management network (for Proxmox administration)
vmbr2: LAN-1 for servers
vmbr3: LAN-2 for client machines
vmbr4: SOC network (Security Operations Center)
vmbr5: DMZ network (Demilitarized Zone)
vmbr6: Monitoring network

SOC

 1root@proxmox-soc ~ # cat /etc/network/interfaces
 2# network interface settings; autogenerated
 3# Please do NOT modify this file directly, unless you know what
 4# you're doing.
 5#
 6# If you want to manage parts of the network configuration manually,
 7# please utilize the 'source' or 'source-directory' directives to do
 8# so.
 9# PVE will preserve these directives, but will NOT read its network
10# configuration from sourced files, so do not attempt to move any of
11# the PVE managed interfaces into external files!
12
13source /etc/network/interfaces.d/*
14
15auto lo
16iface lo inet loopback
17
18iface lo inet6 loopback
19
20auto enp5s0
21iface enp5s0 inet manual
22
23auto vmbr0
24iface vmbr0 inet static
25        address 88.99.31.180/26
26        gateway 88.99.31.129
27        bridge-ports enp5s0
28        bridge-stp off
29        bridge-fd 0
30
31auto vmbr1
32iface vmbr1 inet manual
33        bridge-ports none
34        bridge-stp off
35        bridge-fd 0
36#Management
37
38auto vmbr2
39iface vmbr2 inet manual
40        bridge-ports none
41        bridge-stp off
42        bridge-fd 0
43#LAN-1_Servers
44
45auto vmbr3
46iface vmbr3 inet manual
47        bridge-ports none
48        bridge-stp off
49        bridge-fd 0
50#LAN-2_Clients
51
52auto vmbr4
53iface vmbr4 inet manual
54        bridge-ports none
55        bridge-stp off
56        bridge-fd 0
57#SOC
58
59auto vmbr5
60iface vmbr5 inet manual
61        bridge-ports none
62        bridge-stp off
63        bridge-fd 0
64#DMZ
65
66auto vmbr6
67iface vmbr6 inet manual
68        bridge-ports none
69        bridge-stp off
70        bridge-fd 0
71#Monitoring

Pfsense Network Configuration:

The pfSense firewall acts as the gateway between your internal networks and the internet. It’s crucial to properly configure the network interfaces to ensure traffic flows correctly between your different network segments.

SOC

Pay close attention when arranging interfaces to ensure you configure everything else properly.

Installations

I don’t want to make this document too cluttered, so I’ll guide you through the installation process via links that I used when I encountered issues.

Active Directory Domain Controller Installation:

https://ittechnetworkk.github.io/posts/addcinstallation/ad-dc-installation/

https://www.manageengine.com/products/active-directory-audit/kb/how-to/how-to-setup-a-domain-controller.html

https://www.ibm.com/docs/en/storage-scale-bda?topic=support-install-configure-active-directory

You may also consider using Samba DC, which is a great alternative :)

Windows Client Domain Join:

https://woshub.com/add-computer-to-active-directory-domain/

https://www.tenforums.com/tutorials/90045-join-windows-10-pc-domain.html

Linux Domain Join

https://www.redhat.com/en/blog/linux-active-directory

https://www.linkedin.com/pulse/how-join-linux-machine-active-directory-ad-domain-mohsen-rizkallah-36pkf/

https://medium.com/@daryl-goh/how-to-join-a-linux-ubuntu-machine-to-windows-active-directory-domain-a5563ccc4844

Wazuh Installation

https://documentation.wazuh.com/current/quickstart.html

Wazuh Agent Installation

Pfsense

Here you can find both Wazuh Agent installation and how to send logs (including Suricata logs) to the Wazuh server.

https://benheater.com/integrating-pfsense-with-wazuh/

https://kifarunix.com/install-wazuh-agent-on-pfsense/

Alternatively, you can send pfSense logs via Syslog by following these guides:

https://devopstales.github.io/linux/wazuh-pfsense-syslog/

https://app.letsdefend.io/training/lesson_detail/collecting-logs-with-syslog

Windows

https://documentation.wazuh.com/current/installation-guide/wazuh-agent/index.html

If you want to integrate Sysmon, follow these guides:

https://app.letsdefend.io/training/lesson_detail/introduction-and-set-up-of-sysmon

https://app.letsdefend.io/training/lesson_detail/windows-wazuh-agent-installation-and-log-collectio

Linux

https://documentation.wazuh.com/current/installation-guide/wazuh-agent/index.html

TheHive + Cortex Installation

You can find many TheHive+Cortex installation guides, Docker Compose files, and similar resources, but here is my repository that I created to deploy TheHive and Cortex. There you can also find instructions on how to install and configure Cortex Analyzers and Responders.

https://github.com/ssnrshnn/TheHive-Cortex