https://polymathmonkey.github.io/weblog/artifacts/index.htmlTechnical articles and project documentationHugoen-usAll text is licensed under a Creative Commons Attribution 4.0 International License.Tue, 21 Apr 2026 07:41:10 +0200https://polymathmonkey.github.io/weblog/artifacts/threathuntingnet/index.htmlTue, 08 Jul 2025 09:15:00 +0200https://polymathmonkey.github.io/weblog/artifacts/threathuntingnet/index.htmlTable of Contents Introduction Why I Built a Home Lab for Threat Hunting 🕵 Network Setup Topology, Hardware and Tools 🛠 Firewall configuration🧱 Switch configuration What I Learned Whats next Introduction This is a small series I wanted to start, where I write about my small threathunting setup and describe a little what I build and what I am doing with it. In this part, I will describe the Network setup for my Environment, more about how I build the honeypots and the ELK Server I will describe in the follow up articles about threathunting.https://polymathmonkey.github.io/weblog/artifacts/sans_for608/index.htmlFri, 20 Mar 2026 07:39:00 +0100https://polymathmonkey.github.io/weblog/artifacts/sans_for608/index.htmlTable of Contents Enterprise Threat Hunting and Incident Response (FOR608) Preparing for the exam: building an index 608.1 – Proactive Detection and Response 608.2 – Scaling Response and Analysis 608.3 – Modern Attacks against Windows and Linux 608.4 – macOS and Docker Containers 608.5 – Cloud Attacks and Response 608.6 – Capstone What I took away from this The unseen hero of OpenBSD: otto’s malloc What this is about Start here: what malloc actually does A brief history: how we got here The internal structure The defense mechanisms, together Why classic heap exploits fail here Comparison with other allocators What I took away from this References Enterprise Threat Hunting and Incident Response (FOR608) My employer booked me back in 2025 onto SANS FOR608 in the on-demand version.https://polymathmonkey.github.io/weblog/artifacts/theathuntinghoneypot/index.htmlMon, 29 Sep 2025 07:18:00 +0200https://polymathmonkey.github.io/weblog/artifacts/theathuntinghoneypot/index.htmlTable of Contents Introduction What is Cowrie? Why Podman over Docker? Preconditions / System setup Ubuntu Installed on Raspberry Pi 4+ System Fully Updated Podman installed and working VLAN Tagging Configured on Network Interface Setup environment, install cowrie as container and adjust configuration 🐧 Create a Dedicated User for Cowrie (No Login Shell) 🐳 Pull and Configure Cowrie with Podman 🛠 cowrie.cfg – Basic Overview 🚀 Run Cowrie Container as ‘cowrie’ User 🎯 Operating the Honeypot 🔄 Automatically Restart Cowrie Podman Container with systemd 🔒 Security Notes Log Forwarding with Filebeat 📦 Install Filebeat on Ubuntu ⚙ Configure and test Filebeat 🚀 Start and Enable Filebeat 🎯 TL;DR – What Did We Just Do? Whats next Introduction This post provides a brief walkthrough of how to deploy a lightweight, containerized SSH honeypot using Cowrie and Podman, with the goal of capturing and analyzing malicious activity as part of my threat hunting strategy.https://polymathmonkey.github.io/weblog/artifacts/openbsdmalloc/index.htmlMon, 20 Apr 2026 17:09:00 +0200https://polymathmonkey.github.io/weblog/artifacts/openbsdmalloc/index.htmlThe unseen hero of OpenBSD: otto’s malloc What this is about This is me learning about OpenBSD’s malloc. I try not to do a surface-level overview. I want to understand the internals better, the data structures, the design decisions, and why those decisions make heap exploitation so much harder. What malloc actually does Every C program that needs memory at runtime calls malloc. malloc is a library function. It’s not a syscall – it’s a layer between your code and the kernel.https://polymathmonkey.github.io/weblog/artifacts/monitmon/index.htmlMon, 08 Dec 2025 11:40:00 +0100https://polymathmonkey.github.io/weblog/artifacts/monitmon/index.htmlIntroduction Requirements Installing Monit on OpenBSD Monit – Essential System and Router Services System monitoring runs every 45 seconds. The first check is delayed by 120 seconds to avoid overloading the system immediately after boot. set daemon 45 with start delay 120 Monit logs to syslog. `idfile` and `statefile` store Monit’s persistent state and identity across restarts. set log syslog set idfile /var/monit/id set statefile /var/monit/state Limits control buffer sizes and timeouts for program outputs, network I/O, and service start/stop/restart operations. This prevents Monit from hanging or processing excessive data.https://polymathmonkey.github.io/weblog/artifacts/yellowshardsinelastic/index.htmlWed, 12 Nov 2025 11:07:00 +0100https://polymathmonkey.github.io/weblog/artifacts/yellowshardsinelastic/index.htmlIntroduction If you’re running Elasticsearch on a single node — like a Raspberry Pi or small lab setup like I am — you might notice some indices appear with a yellow health status. This show article explains what that means and how to fix it, especially in resource-constrained, single-node environments. What Does “Yellow” Mean? In Elasticsearch: green: All primary and replica shards are assigned and active. yellow: All primary shards are active, but at least one replica shard is unassigned. red: At least one primary shard is missing → critical! Why Yellow Happens on Single Nodes In single-node clusters, Elasticsearch cannot assign replica shards (because replicas must be on a different node). So any index with replicas will always be yellow unless:https://polymathmonkey.github.io/weblog/artifacts/rescuetotheraid/index.htmlWed, 15 Oct 2025 19:03:00 +0200https://polymathmonkey.github.io/weblog/artifacts/rescuetotheraid/index.htmlIntroduction So I had this USB Disk attached to my OpenBSD Router used as storage, one saturday when I was walking by I noticed the weird clicking sounds from the disk. So I knew my time was running before the disc would fail. Curiously, when I plugged the same drive into a Linux box, it was detected and even showed a valid OpenBSD partition table. That gave me a glimmer of hope: maybe the hardware wasn’t completely dead yet.https://polymathmonkey.github.io/weblog/artifacts/gpgonmyyubi/index.htmlWed, 29 Oct 2025 12:17:00 +0100https://polymathmonkey.github.io/weblog/artifacts/gpgonmyyubi/index.htmlWhy GPG? In an age where digital identities are easily faked and impersonation is just a few clicks away, I decided to take a step forward in securing mine. GPG (GNU Privacy Guard) provides a robust way to authenticate, encrypt, and sign digital content. In this post, I’ll walk you through how I: Created a GPG key pair Set up subkeys and stored them on my YubiKey Published my public key on my website Signed and encrypted personal documents for secure public sharing Configured email signing using GPG Step 1: Installing GPG To start, I made sure GPG was installed. Here’s how I did it on each of my systems: