Purpose:

FORTRESS is my refurbished all-in-one computer, transformed from a slow personal machine into a dedicated cyber range for testing attacks, monitoring telemetry, and simulating real-world blue-team scenarios. 

Outcome

• Rebuilt an old all-in-one PC with new SSD (2.5” SATA) and 8 GB RAM, giving it a second life as a red-team victim host.
  
  

• Installed Ubuntu 22.04 LTS and hardened it with least-privilege users, SSH-key authentication, and firewall (UFW).
  
  

• Linked its event and network logs to my AI SOC Lab (GCP + Splunk) for real-time detection and alerting.
  
  

• Created a safe environment to launch controlled attacks (port scans, brute force, PII exfil attempts) and observe responses via Splunk dashboards.

Steps

1. Hardware restoration
   
   

   • Replaced HDD → Crucial 2.5” SSD
     
     

   • Upgraded single 4 GB RAM → 8 GB DDR3
     
     

   • Verified BIOS detects both; disabled legacy boot.
     
     

2. OS installation
   
   

   • Created a bootable Ubuntu 22.04 USB 3.0 (Rufus).
     
     

   • Performed minimal install; timezone = PST; user = fortress-admin.
     
     

3. System hardening
   
   

   • Configured SSH (PermitRootLogin no, key-based).
     
     

   • Enabled UFW: allow 22/tcp, deny others → baseline clean state.
     
     

   • Updated packages; installed auditd, sysmon, and net-tools.
     
     

4. Telemetry setup
   
   

   • Enabled Syslog forwarding to Splunk HEC (:8088).
     
     

   • Tagged host as fortress.local in dashboards.
     
     

   • Created detection rules for failed logins, PII regex hits, and privilege escalation.
     
     

5. Attack simulation
   
   

   • Ran Nmap scans, invalid API keys, prompt injection tests, and exfil scripts.
     
     

   • Observed Splunk alerts (<60 s latency) and verified mitigation workflow.
     
     

Validation

• ss -tulpn confirms Splunk HEC listening on :8088.
  
  

• curl -X POST … from FORTRESS returns 200 → event indexed.
  
  

• Splunk dashboard shows Fortress events in real time.
  
  

• Controlled brute-force attempt triggers failed login alert within 45 s.

Lessons Learned

• Refurbishing older hardware can provide a low-cost, realistic SOC target.
  
  

• Attack simulations become far more convincing when run on a physical host feeding a cloud SIEM.
  
  

• Reinforces skills in system hardening, remote monitoring, and forensic triage.