finish workstation configuration and add conclusion

This commit is contained in:
midas 2025-02-19 13:04:39 +01:00
parent ecd7ebd089
commit d072a4f54d

View file

@ -326,7 +326,7 @@ public_key=descriptor:x25519:H7O5I7HUGLFM4IMPHNRN6L4S6TG4KJYDBXTYGOYJOUHH5NXVPJV
The private_key line must be copied to the following path on your prometheus aggregator: /var/lib/tor/auth_keys/prometheus.auth_private, prepended with your target onion address like this<br>
<pre><code>
myclientserver.onion:descriptor:x25519:3B6CE5X4I4XGXA5TDQWQONLLAJ6B5FQNPTBOFSF4AN6K6AJUXBOQ
mymonitoredserver.onion:descriptor:x25519:3B6CE5X4I4XGXA5TDQWQONLLAJ6B5FQNPTBOFSF4AN6K6AJUXBOQ
</code></pre>
The public_key must be added on the monitored server at the following path: /var/lib/tor/prometheus/authorized_clients/server.auth with the following content<br>
@ -335,7 +335,19 @@ descriptor:x25519:H7O5I7HUGLFM4IMPHNRN6L4S6TG4KJYDBXTYGOYJOUHH5NXVPJVA
</code></pre>
That way, only your monitoring server will be able to authenticate and scrape data from your monitored server.
<br><br>
Grafana has its own authentication system and database, still it reamins a critical service and it's not immune from 0 days and vulnerabilities that could be leveraged to obtain access. In order to apply a <b>defense in depth</b> principle we are going to do the same exercise for it:
<pre><code class="nim">
user@computer$ tor-client-auth-gen
private_key=descriptor:x25519:FD7NAZTGZAXA6CTXNXR3JCVSKAPW23EP5EQOUMXKRQCKACEVUJ7A
public_key=descriptor:x25519:OBIIXC3MWQ4VCEUS7Z6LOMOQG3CFP77SSWE45EDITP55WHVZFM6Q
</code></pre>
We'll put the public key on our monitoring server at /var/lib/tor/grafana/authorized_clients/admin.auth <br>
and our public key on our whonix workstation at /var/lib/tor/auth_keys/grafana.auth_private <br>
That way, even if an attacker discovers your grafana instance URL and has in their possession either your password or an exploit allowing them to do an authentication bypass
they still won't be able to get in unless they also break the encryption underpinning the tor network.
</p>
@ -349,6 +361,10 @@ descriptor:x25519:H7O5I7HUGLFM4IMPHNRN6L4S6TG4KJYDBXTYGOYJOUHH5NXVPJVA
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h1> <b>Connecting to our grafana instance</b></h1>
On your monitoring server you can find your hostname at /var/lib/tor/grafana/hostname. Use it in the tor browser to reach your instance. You might be prompted for your private key if tor browser doesn't use your system's tor daemon. To avoid that you can change its connection settings.
<h1>
</div>
@ -362,6 +378,9 @@ descriptor:x25519:H7O5I7HUGLFM4IMPHNRN6L4S6TG4KJYDBXTYGOYJOUHH5NXVPJVA
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h1><b>Conclusion</b></h1>
In this article we saw why and how you need to implement anonymous server monitoring for your infrastructure. If you are running hidden services with any form of sensitive data stored on them, having them under constant monitoring is a must but this monitoring must not compromise your identity or the rest of your infrastructure.
</div>
</div><!-- /row -->