diff --git a/opsec/anonymous_server_monitoring/index.html b/opsec/anonymous_server_monitoring/index.html
index 5051de6..9ce5dbd 100644
--- a/opsec/anonymous_server_monitoring/index.html
+++ b/opsec/anonymous_server_monitoring/index.html
@@ -220,6 +220,43 @@
Tor Configuration
+
+On the Client
+run the following as root to create a hidden service for the prometheus collector
+
+
+apt update
+apt install prometheus-node-exporter tor
+systemctl stop tor #stop the tor service
+
+mkdir -p /var/lib/tor/onion/prometheus/authorized_clients #create the client auth keys folder to store our second layer of authentication
+chmod 400 -R /var/lib/tor/prometheus #set restrictive file permissions
+
+vi /etc/tor/torrc #edit the torrc file to add content
+
+cat /etc/tor/torrc
+AutomapHostsSuffixes .onion,.exit
+DataDirectory /var/lib/tor
+SOCKSPort 127.0.0.1:9050 IsolateDestAddr
+HiddenServiceDir /var/lib/tor/onion/prometheus
+HiddenServicePort 9100 127.0.0.1:9100
+
+tor-client-auth-gen
+private_key=descriptor:x25519:DBQW3GP5FCN2KQBDKTDKDAQUQWBEGBZ5TFYJE4KTJFBUOJPKYZBQ #paste this key to your local machine as your prometheus node will need it
+echo "descriptor:x25519:6HDNHLLKIFNU5Q6T75B6Q3GBYDO5ZF4SQUX7EYDEKWNLPQUWUBTA" > /var/lib/tor/onion/prometheus/0.auth
+
+chown debian-tor:debian-tor -R /var/lib/tor # make tor owner of this folder
+
+systemctl start tor #restart tor
+systemctl status tor #check that everything works
+
+cat /var/lib/tor/onion/prometheus/hostname
+[clientaddr].onion
+
+
+On the aggregator
+
+
The prometheus collector will only be accessed locally by grafana so it doesn't need to be accessible over tor. Grafana, on the other hand, does.
@@ -230,155 +267,80 @@
sudo systemctl stop tor #stop the tor service
mkdir -p /var/lib/tor/auth_keys #create the client auth keys folder to store our second layer of authentication
+mkdir -p /var/lib/tor/onion/grafana #create the client auth keys folder to store our second layer of authentication
chmod 400 -R /var/lib/tor/auth_keys #set restrictive file permissions
-chown tor:tor -R /var/lib/tor/auth_keys # make tor owner of this folder
+chmod 400 -R /var/lib/tor/onion #set restrictive file permissions
vi /etc/tor/torrc #edit the torrc file to add content
+cat /etc/tor/torrc
+AutomapHostsSuffixes .onion,.exit
+DataDirectory /var/lib/tor
+SOCKSPort 127.0.0.1:9050 IsolateDestAddr
+HiddenServiceDir /var/lib/tor/onion/grafana
+HiddenServicePort 80 127.0.0.1:3000
+ClientOnionAuthDir /var/lib/tor/auth_keys
+
+tor-client-auth-gen
+private_key=descriptor:x25519:YCPURSYN4FL4QKQSXFTGLYNBHOVVRCQYRZLFHMZFCUFU5R6DCRMQ
+public_key=descriptor:x25519:UUQW4LIO447WRQOSRSNDXEW5NZMSR3CYOP65ZIFWH6G2PUKWV5WQ
+
+echo "YCPURSYN4FL4QKQSXFTGLYNBHOVVRCQYRZLFHMZFCUFU5R6DCRMQ" > ~/mygrafana_auth_key
+echo "UUQW4LIO447WRQOSRSNDXEW5NZMSR3CYOP65ZIFWH6G2PUKWV5WQ" > /var/lib/tor/onion/grafana/0.auth
+
+chown debian-tor:debian-tor -R /var/lib/tor # make tor owner of this folder
+
systemctl start tor #restart tor
systemctl status tor #check that everything works
-and add the content below:
+And that's all you'll need! one hidden service for grafana.
You'll find your hostname in /var/lib/tor/onion/grafana/hostname.
-
-AutomapHostsSuffixes .onion,.exit
-DataDirectory /var/lib/tor
-SOCKSPort 127.0.0.1:9050 IsolateDestAddr
-HiddenServiceDir /var/lib/tor/onion/grafana
-HiddenServicePort 80 127.0.0.1:2700
-ClientOnionAuthDir /var/lib/tor/auth_keys
-
-
-And that's all you'll need! one hiddn service for grafana.
You'll find your hostname in /var/lib/tor/onion/grafana/hostname.
Prometheus server configuration
clean and simple: we scrape our server every 10s for new data, configure a proxy URL so scraping happens over tor, using our socksport and configure ou scraping targets.
-modify the prometheus.yml file (most likely located in /etc/prometheus)
-
+
+vi /etc/prometheus/prometheus.yml
+
+cat /etc/prometheus/prometheus.yml
+
+alerting:
+ alertmanagers: []
global:
scrape_interval: 10s
+remote_read: []
+remote_write: []
scrape_configs:
-- job_name: nodes
+- job_name: remote-nodes
proxy_url: socks5h://localhost:9050
static_configs:
- labels: {}
targets:
- - [fill later with our client .onion address]:9002
+ - [clientaddr].onion:9100
+- job_name: local-node
+ static_configs:
+ - labels: {}
+ targets:
+ - localhost:9100
+
+
-Setting up the client
-On the client it's even easier.
+Grafana configuration
-Tor Configuration
-Since prometheus works on a pull model, you will need to expose your node exporter, no need for a socks proxy either.
+First let's start grafana and make it available: as root,
-AutomapHostsSuffixes .onion,.exit
-DataDirectory /var/lib/tor
-HiddenServiceDir /var/lib/tor/onion/prometheus
-HiddenServicePort 9002 127.0.0.1:9002
-
+docker run -d -p 3000:3000 --name=grafana grafana/grafana-enterprise
+
- Next, you need to install the prometheus-node-exporter. Depending on your distribution of choice it's very likely it's in your package manager under that name.
-
+As tor is already configured you can find your grafana url by looking at /var/lib/tor/onion/grafana/hostname
+
- and here is how we will start it in our unit file (created in /etc/systemd/system/prometheus-node-exporter.service) :
-
-
-[Unit]
-After=network.target
-
-[Service]
-CapabilityBoundingSet=
-DeviceAllow=
-DynamicUser=false
-ExecStart=/bin/node_exporter \
- --collector.systemd \
- \
- --web.listen-address 127.0.0.1:9002 --collector.ethtool --collector.softirqs --collector.tcpstat --collector.wifi
-
-Group=node-exporter
-LockPersonality=true
-MemoryDenyWriteExecute=true
-NoNewPrivileges=true
-PrivateDevices=true
-PrivateTmp=true
-ProtectClock=false
-ProtectControlGroups=true
-ProtectHome=true
-ProtectHostname=true
-ProtectKernelLogs=true
-ProtectKernelModules=true
-ProtectKernelTunables=true
-ProtectSystem=strict
-RemoveIPC=true
-Restart=always
-RestrictAddressFamilies=AF_UNIX
-RestrictAddressFamilies=AF_NETLINK
-RestrictAddressFamilies=AF_INET
-RestrictAddressFamilies=AF_INET6
-RestrictNamespaces=true
-RestrictRealtime=true
-RestrictSUIDSGID=true
-RuntimeDirectory=prometheus-node-exporter
-SystemCallArchitectures=native
-UMask=0077
-User=node-exporter
-WorkingDirectory=/tmp
-
-[Install]
-WantedBy=multi-user.target
-
-
-
- Do note that the name of the executable might change based on your distribution. What it does:
-
-
- - collect systemd data (services and so on)
- - collect internet throughput data
- - wifi information
- - cpu interrupts information
-
-
- And make them available to your server.
-
- Right now, if an attacker could find your hidden service URL they could harvest this data about your server, you need to secure it by adding a key that will only allow your aggregator to connect
-
- Let's generate a keypair:
-
- user@computer$ tor-client-auth-gen
-private_key=descriptor:x25519:3B6CE5X4I4XGXA5TDQWQONLLAJ6B5FQNPTBOFSF4AN6K6AJUXBOQ
-public_key=descriptor:x25519:H7O5I7HUGLFM4IMPHNRN6L4S6TG4KJYDBXTYGOYJOUHH5NXVPJVA
-
-
- The private_key line must be copied to the following path on your prometheus aggregator: /var/lib/tor/auth_keys/prometheus.auth_private, prepended with your target onion address like this
-
- mymonitoredserver.onion:descriptor:x25519:3B6CE5X4I4XGXA5TDQWQONLLAJ6B5FQNPTBOFSF4AN6K6AJUXBOQ
-
-
- The public_key must be added on the monitored server at the following path: /var/lib/tor/prometheus/authorized_clients/server.auth with the following content
-
-descriptor:x25519:H7O5I7HUGLFM4IMPHNRN6L4S6TG4KJYDBXTYGOYJOUHH5NXVPJVA
-
-
- That way, only your monitoring server will be able to authenticate and scrape data from your monitored server.
-
- Grafana has its own authentication system and database, still it reamins a critical service and it's not immune from 0 days and vulnerabilities that could be leveraged to obtain access. In order to apply a defense in depth principle we are going to do the same exercise for it:
-
-
- user@computer$ tor-client-auth-gen
-private_key=descriptor:x25519:FD7NAZTGZAXA6CTXNXR3JCVSKAPW23EP5EQOUMXKRQCKACEVUJ7A
-public_key=descriptor:x25519:OBIIXC3MWQ4VCEUS7Z6LOMOQG3CFP77SSWE45EDITP55WHVZFM6Q
-
-
- We'll put the public key on our monitoring server at /var/lib/tor/grafana/authorized_clients/admin.auth
- and our public key on our whonix workstation at /var/lib/tor/auth_keys/grafana.auth_private
- That way, even if an attacker discovers your grafana instance URL and has in their possession either your password or an exploit allowing them to do an authentication bypass
- they still won't be able to get in unless they also break the encryption underpinning the tor network.
+Now let's configure a couple of dashboards