OSEC Server Refresh

Highlights at a Glance

• Built a hands-on training environment used for CTFs, red/blue team, and escalation scenarios.

• Unified logging across 10+ systems for centralized SIEM monitoring via Splunk.

• Enabled custom domain email services and internal Discord-based role management.

 Project Overview

The OSEC Server Refresh project was a full rebuild of our cybersecurity club’s infrastructure. The goal was to modernize our systems, improve reliability, and support more advanced training environments for club members. I led the planning and implementation of the rebuild, focusing on functionality, performance, and long-term scalability.

Key Contributions

• Infrastructure Planning: Designed a new Proxmox-based virtualization stack to support isolated environments for competitions, labs, and training.

• VLAN & Subnet Mapping: Reorganized internal networking for improved security segmentation and easier VM lifecycle management.

• Firewall Configuration: Implemented OPNSense with tailored rules for internal lab traffic, internet access controls, and logging.

• Documentation: Created a full internal documentation set for future admins, including topology diagrams, VM templates, and firewall policy notes.

Pentesting Lab / CPTC Training Environment

The OSEC Pentesting Lab was designed and deployed to provide a realistic, enterprise-style environment for CPTC tryouts, competition preparation, and daily red team practice. Built on an HP DL360P Gen8 with Proxmox, the lab integrates Windows enterprise services, Linux infrastructure, and dedicated attacker networks into a segmented multi-subnet architecture.

Virtual Infrastructure (Proxmox-Hosted):

• Windows Server 2016 Environment: Domain Controller, ADCS, six workstations, and a management server to emulate enterprise-grade Active Directory operations.

• Linux Services: LDAP, FTP, MySQL, and a Jellyfin media server, deployed via XAMPP for simplified administration and configuration management.

• Routers: OpenWRT and OPNsense configured for subnet routing (10.0.0.0/24, 10.0.200.0/24, and 10.0.40.0/24) with attacker segmentation and isolation.

Attacker & Defender Setup:

• Attack Platforms: Airgapped Kali Linux VMs equipped with standard pentesting toolsets, with future plans for BloodHound integration.

• Defensive Capabilities: In-progress Splunk integration for centralized log collection and monitoring, with Universal Forwarders to enable SIEM-based analysis and forensics.

• Snapshots & Reset Pipeline: Every VM captured at staged deployment snapshots (initial → networking → services → live), ensuring repeatable resets for training sessions and future automation of full-environment resets.

Resilience & Realism:

• Systems were intentionally hardened with unknown or randomized credentials, requiring exploitation methods (Utilman bypass, GRUB CLI password reset) to bootstrap access.

• Misconfigurations and group policy adjustments were introduced to replicate real-world vulnerabilities for red team exploitation and blue team detection.

• Performance and stability challenges (NIC throughput limits, OPNsense RAM exhaustion, thin provisioning issues) were resolved through iterative hardware/software tuning, culminating in a stable environment stress-tested to 500+ simultaneous clients.

The result is a hands-on, competition-ready environment used by 40+ students for penetration testing, incident response, and system hardening practice.

CCDC Training Environment

As part of the OSEC Server Refresh, we are building a dedicated virtual CCDC simulation environment to help members prepare for Collegiate Cyber Defense Competitions. The setup will replicate a real CCDC environment and provide a realistic, pressure-tested platform for team training.

Key Features

• Proxmox-Hosted Infrastructure:
  Entire environment run virtually on a dedicated Proxmox instance with its own isolated subnet for safe, controlled testing.

• Replica Service Stack:
  Include virtual machines running web, database, FTP, and internal authentication services, mirroring competition setups.

• Automated Red Team Attacks:
  A scripted red team instance continuously launches attacks (RCEs, privilege escalations, service disruptions) to simulate real CCDC stress conditions.

Club Operations & Support Infrastructure

To support day-to-day operations, outreach, and interdisciplinary collaboration, the OSEC Server Refresh introduced a dedicated Proxmox instance for club services and student resources. This instance hosts a diverse set of VMs that serve both internal and external functions.

Hosted Services

• Discord Authentication Bot
  Custom bot tied to our club’s Discord server, handling member verification and role-based access for internal channels.

• OSEC Website
  Self-hosted static site running on a lightweight web stack to showcase projects, provide documentation, and recruit new members.

• Inter-Club Resources
  Includes collaborative tools like an aerodynamics simulator for the UNF Racing team as well as other tools or media hosting for other student led clubs.

• Training & Miscellaneous OS VMs
  Provisioned environments for students to safely experiment with OS configurations, host short-term labs, or build personal projects in an isolated setting.

Note

The Discord Authentication Bot, OSEC Website, and Inter-club resources were successfully developed, but were taken down due to campus IT policy restrictions.

IMAP Server with Custom Domain Support

To streamline communications and present a more professional image, the infrastructure includes a self-hosted IMAP email server configured to handle custom domain email addresses for campus organizations.

Key Features

• Custom Domain Integration
  Enables student organizations to send and receive emails using branded addresses (e.g., team@unfhockey.com) without relying on third-party providers.

• Universal Access
  Compatible with most desktop and mobile mail clients via standard IMAP and SMTP protocols.

• Security & Routing
  Includes DNS-based protections (SPF, DKIM, DMARC) and optional relay support to improve deliverability and reduce spam classification.

Purpose

This solution offers clubs full control over their communications, improves brand presence in external messaging, and eliminates recurring costs associated with managed email providers.

Note

This system was successfully built and tested, but not deployed in production due to campus IT policy restrictions. 

The OSEC Server Refresh was a transformative project that modernized our technical backbone while enhancing member training and club operations. It stands as a scalable foundation for future cybersecurity growth at UNF.