oxeo0/blog-contributions
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions.git synced 2025-07-02 11:56:40 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

add configuration steps for debian

Browse source
This commit is contained in:
urist 2025-03-06 15:30:28 +01:00
parent fcc49e2fcb
commit 3e6795964d
1 changed files with 82 additions and 120 deletions
Download patch file Download diff file Expand all files Collapse all files

202
opsec/anonymous_server_monitoring/index.html
View file

@ -220,6 +220,43 @@
<h2>Tor Configuration</h2> <h2>Tor Configuration</h2>
<h3>On the Client</h3>
run the following as root to create a hidden service for the prometheus collector
<pre><code class="nim">
apt update
apt install prometheus-node-exporter tor
systemctl stop tor #stop the tor service
mkdir -p /var/lib/tor/onion/prometheus/authorized_clients #create the client auth keys folder to store our second layer of authentication
chmod 400 -R /var/lib/tor/prometheus #set restrictive file permissions
vi /etc/tor/torrc #edit the torrc file to add content
cat /etc/tor/torrc
AutomapHostsSuffixes .onion,.exit
DataDirectory /var/lib/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
HiddenServiceDir /var/lib/tor/onion/prometheus
HiddenServicePort 9100 127.0.0.1:9100
tor-client-auth-gen
private_key=descriptor:x25519:DBQW3GP5FCN2KQBDKTDKDAQUQWBEGBZ5TFYJE4KTJFBUOJPKYZBQ #paste this key to your local machine as your prometheus node will need it
echo "descriptor:x25519:6HDNHLLKIFNU5Q6T75B6Q3GBYDO5ZF4SQUX7EYDEKWNLPQUWUBTA" > /var/lib/tor/onion/prometheus/0.auth
chown debian-tor:debian-tor -R /var/lib/tor # make tor owner of this folder
systemctl start tor #restart tor
systemctl status tor #check that everything works
cat /var/lib/tor/onion/prometheus/hostname
[clientaddr].onion
</code></pre>
<h3>On the aggregator</h3>
The prometheus collector will only be accessed locally by grafana so it doesn't need to be accessible over tor. Grafana, on the other hand, does. The prometheus collector will only be accessed locally by grafana so it doesn't need to be accessible over tor. Grafana, on the other hand, does.
<br> <br>
@ -230,155 +267,80 @@
sudo systemctl stop tor #stop the tor service sudo systemctl stop tor #stop the tor service
mkdir -p /var/lib/tor/auth_keys #create the client auth keys folder to store our second layer of authentication mkdir -p /var/lib/tor/auth_keys #create the client auth keys folder to store our second layer of authentication
mkdir -p /var/lib/tor/onion/grafana #create the client auth keys folder to store our second layer of authentication
chmod 400 -R /var/lib/tor/auth_keys #set restrictive file permissions chmod 400 -R /var/lib/tor/auth_keys #set restrictive file permissions
chown tor:tor -R /var/lib/tor/auth_keys # make tor owner of this folder chmod 400 -R /var/lib/tor/onion #set restrictive file permissions
vi /etc/tor/torrc #edit the torrc file to add content vi /etc/tor/torrc #edit the torrc file to add content
cat /etc/tor/torrc
AutomapHostsSuffixes .onion,.exit
DataDirectory /var/lib/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
HiddenServiceDir /var/lib/tor/onion/grafana
HiddenServicePort 80 127.0.0.1:3000
ClientOnionAuthDir /var/lib/tor/auth_keys
tor-client-auth-gen
private_key=descriptor:x25519:YCPURSYN4FL4QKQSXFTGLYNBHOVVRCQYRZLFHMZFCUFU5R6DCRMQ
public_key=descriptor:x25519:UUQW4LIO447WRQOSRSNDXEW5NZMSR3CYOP65ZIFWH6G2PUKWV5WQ
echo "YCPURSYN4FL4QKQSXFTGLYNBHOVVRCQYRZLFHMZFCUFU5R6DCRMQ" > ~/mygrafana_auth_key
echo "UUQW4LIO447WRQOSRSNDXEW5NZMSR3CYOP65ZIFWH6G2PUKWV5WQ" > /var/lib/tor/onion/grafana/0.auth
chown debian-tor:debian-tor -R /var/lib/tor # make tor owner of this folder
systemctl start tor #restart tor systemctl start tor #restart tor
systemctl status tor #check that everything works systemctl status tor #check that everything works
</code></pre> </code></pre>
and add the content below: And that's all you'll need! one hidden service for grafana. <br> You'll find your hostname in /var/lib/tor/onion/grafana/hostname.
<pre><code class="nim">
AutomapHostsSuffixes .onion,.exit
DataDirectory /var/lib/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
HiddenServiceDir /var/lib/tor/onion/grafana
HiddenServicePort 80 127.0.0.1:2700
ClientOnionAuthDir /var/lib/tor/auth_keys
</code></pre>
And that's all you'll need! one hiddn service for grafana. <br> You'll find your hostname in /var/lib/tor/onion/grafana/hostname.
<h2>Prometheus server configuration</h2> <h2>Prometheus server configuration</h2>
clean and simple: we scrape our server every 10s for new data, configure a proxy URL so scraping happens over tor, using our socksport and configure ou scraping targets. clean and simple: we scrape our server every 10s for new data, configure a proxy URL so scraping happens over tor, using our socksport and configure ou scraping targets.
<br> <br>
modify the prometheus.yml file (most likely located in /etc/prometheus)
<pre><code class="nim"> <pre><code class="nim">
vi /etc/prometheus/prometheus.yml
cat /etc/prometheus/prometheus.yml
alerting:
alertmanagers: []
global: global:
scrape_interval: 10s scrape_interval: 10s
remote_read: []
remote_write: []
scrape_configs: scrape_configs:
- job_name: nodes - job_name: remote-nodes
proxy_url: socks5h://localhost:9050 proxy_url: socks5h://localhost:9050
static_configs: static_configs:
- labels: {} - labels: {}
targets: targets:
- [fill later with our client .onion address]:9002 - [clientaddr].onion:9100
- job_name: local-node
static_configs:
- labels: {}
targets:
- localhost:9100
</code></pre> </code></pre>
<h1>Setting up the client</h1> <h2>Grafana configuration</h2>
On the client it's even easier.
<h2>Tor Configuration</h2> First let's start grafana and make it available: as root,
Since prometheus works on a pull model, you will need to expose your node exporter, no need for a socks proxy either.
<br> <br>
<pre><code class="nim"> <pre><code class="nim">
AutomapHostsSuffixes .onion,.exit docker run -d -p 3000:3000 --name=grafana grafana/grafana-enterprise
DataDirectory /var/lib/tor </code</pre>
HiddenServiceDir /var/lib/tor/onion/prometheus
HiddenServicePort 9002 127.0.0.1:9002
</code></pre>
Next, you need to install the prometheus-node-exporter. Depending on your distribution of choice it's very likely it's in your package manager under that name. As tor is already configured you can find your grafana url by looking at /var/lib/tor/onion/grafana/hostname
<br> <br><br>
and here is how we will start it in our unit file (created in /etc/systemd/system/prometheus-node-exporter.service) : <br> Now let's configure a couple of dashboards
<pre><code class="nim">
[Unit]
After=network.target
[Service]
CapabilityBoundingSet=
DeviceAllow=
DynamicUser=false
ExecStart=/bin/node_exporter \
--collector.systemd \
\
--web.listen-address 127.0.0.1:9002 --collector.ethtool --collector.softirqs --collector.tcpstat --collector.wifi
Group=node-exporter
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectClock=false
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
RemoveIPC=true
Restart=always
RestrictAddressFamilies=AF_UNIX
RestrictAddressFamilies=AF_NETLINK
RestrictAddressFamilies=AF_INET
RestrictAddressFamilies=AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
RuntimeDirectory=prometheus-node-exporter
SystemCallArchitectures=native
UMask=0077
User=node-exporter
WorkingDirectory=/tmp
[Install]
WantedBy=multi-user.target
</code></pre>
<br>
Do note that the name of the executable might change based on your distribution. What it does:
<br>
<ul>
<li> collect systemd data (services and so on)</li>
<li> collect internet throughput data</li>
<li> wifi information</li>
<li> cpu interrupts information </li>
</ul>
And make them available to your server.
<br><br>
<b>Right now, if an attacker could find your hidden service URL they could harvest this data about your server, you need to secure it by adding a key that will only allow your aggregator to connect</b><br>
Let's generate a keypair:
<pre><code class="nim">
user@computer$ tor-client-auth-gen
private_key=descriptor:x25519:3B6CE5X4I4XGXA5TDQWQONLLAJ6B5FQNPTBOFSF4AN6K6AJUXBOQ
public_key=descriptor:x25519:H7O5I7HUGLFM4IMPHNRN6L4S6TG4KJYDBXTYGOYJOUHH5NXVPJVA
</code></pre>
The private_key line must be copied to the following path on your prometheus aggregator: /var/lib/tor/auth_keys/prometheus.auth_private, prepended with your target onion address like this<br>
<pre><code>
mymonitoredserver.onion:descriptor:x25519:3B6CE5X4I4XGXA5TDQWQONLLAJ6B5FQNPTBOFSF4AN6K6AJUXBOQ
</code></pre>
The public_key must be added on the monitored server at the following path: /var/lib/tor/prometheus/authorized_clients/server.auth with the following content<br>
<pre><code>
descriptor:x25519:H7O5I7HUGLFM4IMPHNRN6L4S6TG4KJYDBXTYGOYJOUHH5NXVPJVA
</code></pre>
That way, only your monitoring server will be able to authenticate and scrape data from your monitored server.
<br><br>
Grafana has its own authentication system and database, still it reamins a critical service and it's not immune from 0 days and vulnerabilities that could be leveraged to obtain access. In order to apply a <b>defense in depth</b> principle we are going to do the same exercise for it:
<pre><code class="nim">
user@computer$ tor-client-auth-gen
private_key=descriptor:x25519:FD7NAZTGZAXA6CTXNXR3JCVSKAPW23EP5EQOUMXKRQCKACEVUJ7A
public_key=descriptor:x25519:OBIIXC3MWQ4VCEUS7Z6LOMOQG3CFP77SSWE45EDITP55WHVZFM6Q
</code></pre>
We'll put the public key on our monitoring server at /var/lib/tor/grafana/authorized_clients/admin.auth <br>
and our public key on our whonix workstation at /var/lib/tor/auth_keys/grafana.auth_private <br>
That way, even if an attacker discovers your grafana instance URL and has in their possession either your password or an exploit allowing them to do an authentication bypass
they still won't be able to get in unless they also break the encryption underpinning the tor network.
</p> </p>