mirror of
http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions.git
synced 2025-07-02 06:46:42 +00:00
finish workstation configuration and add conclusion
This commit is contained in:
parent
ecd7ebd089
commit
d072a4f54d
1 changed files with 20 additions and 1 deletions
|
@ -326,7 +326,7 @@ public_key=descriptor:x25519:H7O5I7HUGLFM4IMPHNRN6L4S6TG4KJYDBXTYGOYJOUHH5NXVPJV
|
|||
|
||||
The private_key line must be copied to the following path on your prometheus aggregator: /var/lib/tor/auth_keys/prometheus.auth_private, prepended with your target onion address like this<br>
|
||||
<pre><code>
|
||||
myclientserver.onion:descriptor:x25519:3B6CE5X4I4XGXA5TDQWQONLLAJ6B5FQNPTBOFSF4AN6K6AJUXBOQ
|
||||
mymonitoredserver.onion:descriptor:x25519:3B6CE5X4I4XGXA5TDQWQONLLAJ6B5FQNPTBOFSF4AN6K6AJUXBOQ
|
||||
</code></pre>
|
||||
|
||||
The public_key must be added on the monitored server at the following path: /var/lib/tor/prometheus/authorized_clients/server.auth with the following content<br>
|
||||
|
@ -335,7 +335,19 @@ descriptor:x25519:H7O5I7HUGLFM4IMPHNRN6L4S6TG4KJYDBXTYGOYJOUHH5NXVPJVA
|
|||
</code></pre>
|
||||
|
||||
That way, only your monitoring server will be able to authenticate and scrape data from your monitored server.
|
||||
<br><br>
|
||||
Grafana has its own authentication system and database, still it reamins a critical service and it's not immune from 0 days and vulnerabilities that could be leveraged to obtain access. In order to apply a <b>defense in depth</b> principle we are going to do the same exercise for it:
|
||||
|
||||
<pre><code class="nim">
|
||||
user@computer$ tor-client-auth-gen
|
||||
private_key=descriptor:x25519:FD7NAZTGZAXA6CTXNXR3JCVSKAPW23EP5EQOUMXKRQCKACEVUJ7A
|
||||
public_key=descriptor:x25519:OBIIXC3MWQ4VCEUS7Z6LOMOQG3CFP77SSWE45EDITP55WHVZFM6Q
|
||||
</code></pre>
|
||||
|
||||
We'll put the public key on our monitoring server at /var/lib/tor/grafana/authorized_clients/admin.auth <br>
|
||||
and our public key on our whonix workstation at /var/lib/tor/auth_keys/grafana.auth_private <br>
|
||||
That way, even if an attacker discovers your grafana instance URL and has in their possession either your password or an exploit allowing them to do an authentication bypass
|
||||
they still won't be able to get in unless they also break the encryption underpinning the tor network.
|
||||
|
||||
|
||||
</p>
|
||||
|
@ -349,6 +361,10 @@ descriptor:x25519:H7O5I7HUGLFM4IMPHNRN6L4S6TG4KJYDBXTYGOYJOUHH5NXVPJVA
|
|||
<div class="container">
|
||||
<div class="row">
|
||||
<div class="col-lg-8 col-lg-offset-2">
|
||||
<h1> <b>Connecting to our grafana instance</b></h1>
|
||||
On your monitoring server you can find your hostname at /var/lib/tor/grafana/hostname. Use it in the tor browser to reach your instance. You might be prompted for your private key if tor browser doesn't use your system's tor daemon. To avoid that you can change its connection settings.
|
||||
|
||||
<h1>
|
||||
|
||||
|
||||
</div>
|
||||
|
@ -362,6 +378,9 @@ descriptor:x25519:H7O5I7HUGLFM4IMPHNRN6L4S6TG4KJYDBXTYGOYJOUHH5NXVPJVA
|
|||
<div class="row">
|
||||
<div class="col-lg-8 col-lg-offset-2">
|
||||
|
||||
<h1><b>Conclusion</b></h1>
|
||||
In this article we saw why and how you need to implement anonymous server monitoring for your infrastructure. If you are running hidden services with any form of sensitive data stored on them, having them under constant monitoring is a must but this monitoring must not compromise your identity or the rest of your infrastructure.
|
||||
|
||||
|
||||
</div>
|
||||
</div><!-- /row -->
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue