From 3e6795964d6d55684a4b353213c75c1d033cb7b4 Mon Sep 17 00:00:00 2001
From: urist <urist@dev.null>
Date: Thu, 6 Mar 2025 15:30:28 +0100
Subject: [PATCH] add configuration steps for debian

---
 opsec/anonymous_server_monitoring/index.html | 202 ++++++++-----------
 1 file changed, 82 insertions(+), 120 deletions(-)

diff --git a/opsec/anonymous_server_monitoring/index.html b/opsec/anonymous_server_monitoring/index.html
index 5051de6..9ce5dbd 100644
--- a/opsec/anonymous_server_monitoring/index.html
+++ b/opsec/anonymous_server_monitoring/index.html
@@ -220,6 +220,43 @@
 
 
                         <h2>Tor Configuration</h2>
+
+<h3>On the Client</h3>
+run the following as root to create a hidden service for the prometheus collector
+
+<pre><code class="nim">
+apt update
+apt install prometheus-node-exporter tor
+systemctl stop tor #stop the tor service
+
+mkdir -p /var/lib/tor/onion/prometheus/authorized_clients #create the client auth keys folder to store our second layer of authentication
+chmod 400 -R /var/lib/tor/prometheus #set restrictive file permissions
+
+vi /etc/tor/torrc #edit the torrc file to add content
+
+cat /etc/tor/torrc
+AutomapHostsSuffixes .onion,.exit
+DataDirectory /var/lib/tor
+SOCKSPort 127.0.0.1:9050 IsolateDestAddr
+HiddenServiceDir /var/lib/tor/onion/prometheus
+HiddenServicePort 9100 127.0.0.1:9100
+
+tor-client-auth-gen 
+private_key=descriptor:x25519:DBQW3GP5FCN2KQBDKTDKDAQUQWBEGBZ5TFYJE4KTJFBUOJPKYZBQ #paste this key to your local machine as your prometheus node will need it
+echo "descriptor:x25519:6HDNHLLKIFNU5Q6T75B6Q3GBYDO5ZF4SQUX7EYDEKWNLPQUWUBTA" > /var/lib/tor/onion/prometheus/0.auth
+
+chown debian-tor:debian-tor -R /var/lib/tor # make tor owner of this folder
+
+systemctl start tor #restart tor
+systemctl status tor #check that everything works
+
+cat /var/lib/tor/onion/prometheus/hostname
+[clientaddr].onion
+</code></pre>
+
+<h3>On the aggregator</h3>
+
+
                         The prometheus collector will only be accessed locally by grafana so it doesn't need to be accessible over tor. Grafana, on the other hand, does.
                         <br>
 
@@ -230,155 +267,80 @@
 sudo systemctl stop tor #stop the tor service
 
 mkdir -p /var/lib/tor/auth_keys #create the client auth keys folder to store our second layer of authentication
+mkdir -p /var/lib/tor/onion/grafana #create the client auth keys folder to store our second layer of authentication
 chmod 400 -R /var/lib/tor/auth_keys #set restrictive file permissions
-chown tor:tor -R /var/lib/tor/auth_keys # make tor owner of this folder
+chmod 400 -R /var/lib/tor/onion #set restrictive file permissions
 
 vi /etc/tor/torrc #edit the torrc file to add content
 
+cat /etc/tor/torrc
+AutomapHostsSuffixes .onion,.exit
+DataDirectory /var/lib/tor
+SOCKSPort 127.0.0.1:9050 IsolateDestAddr
+HiddenServiceDir /var/lib/tor/onion/grafana
+HiddenServicePort 80 127.0.0.1:3000
+ClientOnionAuthDir /var/lib/tor/auth_keys
+
+tor-client-auth-gen 
+private_key=descriptor:x25519:YCPURSYN4FL4QKQSXFTGLYNBHOVVRCQYRZLFHMZFCUFU5R6DCRMQ
+public_key=descriptor:x25519:UUQW4LIO447WRQOSRSNDXEW5NZMSR3CYOP65ZIFWH6G2PUKWV5WQ
+
+echo "YCPURSYN4FL4QKQSXFTGLYNBHOVVRCQYRZLFHMZFCUFU5R6DCRMQ" > ~/mygrafana_auth_key
+echo "UUQW4LIO447WRQOSRSNDXEW5NZMSR3CYOP65ZIFWH6G2PUKWV5WQ" > /var/lib/tor/onion/grafana/0.auth
+
+chown debian-tor:debian-tor -R /var/lib/tor # make tor owner of this folder
+
 systemctl start tor #restart tor
 systemctl status tor #check that everything works
 </code></pre>
 
-and add the content below:
+And that's all you'll need! one hidden service for grafana. <br> You'll find your hostname in /var/lib/tor/onion/grafana/hostname.
 
-<pre><code class="nim">
-AutomapHostsSuffixes .onion,.exit
-DataDirectory /var/lib/tor
-SOCKSPort 127.0.0.1:9050 IsolateDestAddr
-HiddenServiceDir /var/lib/tor/onion/grafana
-HiddenServicePort 80 127.0.0.1:2700
-ClientOnionAuthDir /var/lib/tor/auth_keys
-</code></pre>
-
-And that's all you'll need! one hiddn service for grafana. <br> You'll find your hostname in /var/lib/tor/onion/grafana/hostname.
 
 <h2>Prometheus server configuration</h2>
 clean and simple: we scrape our server every 10s for new data, configure a proxy URL so scraping happens over tor, using our socksport and configure ou scraping targets.
 <br>
-modify the prometheus.yml file (most likely located in /etc/prometheus)
-
 <pre><code class="nim">
+
+vi /etc/prometheus/prometheus.yml
+
+cat /etc/prometheus/prometheus.yml
+
+alerting:
+  alertmanagers: []
 global:
   scrape_interval: 10s
+remote_read: []
+remote_write: []
 scrape_configs:
-- job_name: nodes
+- job_name: remote-nodes
   proxy_url: socks5h://localhost:9050
   static_configs:
   - labels: {}
     targets:
-    - [fill later with our client .onion address]:9002
+    - [clientaddr].onion:9100
+- job_name: local-node
+  static_configs:
+  - labels: {}
+    targets:
+    - localhost:9100
+
+
 </code></pre>
 
-<h1>Setting up the client</h1>
-On the client it's even easier.
+<h2>Grafana configuration</h2>
 
-<h2>Tor Configuration</h2>
-Since prometheus works on a pull model, you will need to expose your node exporter, no need for a socks proxy either.
+First let's start grafana and make it available: as root,
 <br>
 
 <pre><code class="nim">
-AutomapHostsSuffixes .onion,.exit
-DataDirectory /var/lib/tor
-HiddenServiceDir /var/lib/tor/onion/prometheus
-HiddenServicePort 9002 127.0.0.1:9002
-</code></pre>
+docker run -d -p 3000:3000 --name=grafana grafana/grafana-enterprise
+</code</pre>
 
- Next, you need to install the prometheus-node-exporter. Depending on your distribution of choice it's very likely it's in your package manager under that name.
- <br>
+As tor is already configured you can find your grafana url by looking at /var/lib/tor/onion/grafana/hostname
+<br><br>
 
- and here is how we will start it in our unit file (created in /etc/systemd/system/prometheus-node-exporter.service) : <br>
- <pre><code class="nim">
-
-[Unit]
-After=network.target
-
-[Service]
-CapabilityBoundingSet=
-DeviceAllow=
-DynamicUser=false
-ExecStart=/bin/node_exporter \
-  --collector.systemd \
-   \
-  --web.listen-address 127.0.0.1:9002 --collector.ethtool --collector.softirqs --collector.tcpstat --collector.wifi
-
-Group=node-exporter
-LockPersonality=true
-MemoryDenyWriteExecute=true
-NoNewPrivileges=true
-PrivateDevices=true
-PrivateTmp=true
-ProtectClock=false
-ProtectControlGroups=true
-ProtectHome=true
-ProtectHostname=true
-ProtectKernelLogs=true
-ProtectKernelModules=true
-ProtectKernelTunables=true
-ProtectSystem=strict
-RemoveIPC=true
-Restart=always
-RestrictAddressFamilies=AF_UNIX
-RestrictAddressFamilies=AF_NETLINK
-RestrictAddressFamilies=AF_INET
-RestrictAddressFamilies=AF_INET6
-RestrictNamespaces=true
-RestrictRealtime=true
-RestrictSUIDSGID=true
-RuntimeDirectory=prometheus-node-exporter
-SystemCallArchitectures=native
-UMask=0077
-User=node-exporter
-WorkingDirectory=/tmp
-
-[Install]
-WantedBy=multi-user.target
- </code></pre>
-
- <br>
- Do note that the name of the executable might change based on your distribution. What it does:
- <br>
- <ul>
-     <li> collect systemd data (services and so on)</li>
-     <li> collect internet throughput data</li>
-     <li> wifi information</li>
-     <li> cpu interrupts information </li>
- </ul>
-
- And make them available to your server.
- <br><br>
- <b>Right now, if an attacker could find your hidden service URL they could harvest this data about your server, you need to secure it by adding a key that will only allow your aggregator to connect</b><br>
-
- Let's generate a keypair:
- <pre><code class="nim">
- user@computer$ tor-client-auth-gen 
-private_key=descriptor:x25519:3B6CE5X4I4XGXA5TDQWQONLLAJ6B5FQNPTBOFSF4AN6K6AJUXBOQ
-public_key=descriptor:x25519:H7O5I7HUGLFM4IMPHNRN6L4S6TG4KJYDBXTYGOYJOUHH5NXVPJVA
- </code></pre>
-
- The private_key line must be copied to the following path on your prometheus aggregator: /var/lib/tor/auth_keys/prometheus.auth_private, prepended with your target onion address like this<br>
- <pre><code>
- mymonitoredserver.onion:descriptor:x25519:3B6CE5X4I4XGXA5TDQWQONLLAJ6B5FQNPTBOFSF4AN6K6AJUXBOQ
- </code></pre>
-
- The public_key must be added on the monitored server at the following path: /var/lib/tor/prometheus/authorized_clients/server.auth with the following content<br>
- <pre><code>
-descriptor:x25519:H7O5I7HUGLFM4IMPHNRN6L4S6TG4KJYDBXTYGOYJOUHH5NXVPJVA
- </code></pre>
-
- That way, only your monitoring server will be able to authenticate and scrape data from your monitored server.
- <br><br>
- Grafana has its own authentication system and database, still it reamins a critical service and it's not immune from 0 days and vulnerabilities that could be leveraged to obtain access. In order to apply a <b>defense in depth</b> principle we are going to do the same exercise for it:
-
- <pre><code class="nim">
- user@computer$ tor-client-auth-gen 
-private_key=descriptor:x25519:FD7NAZTGZAXA6CTXNXR3JCVSKAPW23EP5EQOUMXKRQCKACEVUJ7A
-public_key=descriptor:x25519:OBIIXC3MWQ4VCEUS7Z6LOMOQG3CFP77SSWE45EDITP55WHVZFM6Q
- </code></pre>
-
- We'll put the public key on our monitoring server at /var/lib/tor/grafana/authorized_clients/admin.auth <br>
- and our public key on our whonix workstation at /var/lib/tor/auth_keys/grafana.auth_private <br>
- That way, even if an attacker discovers your grafana instance URL and has in their possession either your password or an exploit allowing them to do an authentication bypass
- they still won't be able to get in unless they also break the encryption underpinning the tor network.
+Now let's configure a couple of dashboards
 
 
                     </p>