From d072a4f54de41d58bfcfff1af8c1126e5595397b Mon Sep 17 00:00:00 2001
From: midas <midas@mullsec>
Date: Wed, 19 Feb 2025 13:04:39 +0100
Subject: [PATCH] finish workstation configuration and add conclusion

---
 opsec/anonymous_server_monitoring/index.html | 21 +++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/opsec/anonymous_server_monitoring/index.html b/opsec/anonymous_server_monitoring/index.html
index 11f5bd3..6ef9d03 100644
--- a/opsec/anonymous_server_monitoring/index.html
+++ b/opsec/anonymous_server_monitoring/index.html
@@ -326,7 +326,7 @@ public_key=descriptor:x25519:H7O5I7HUGLFM4IMPHNRN6L4S6TG4KJYDBXTYGOYJOUHH5NXVPJV
 
  The private_key line must be copied to the following path on your prometheus aggregator: /var/lib/tor/auth_keys/prometheus.auth_private, prepended with your target onion address like this<br>
  <pre><code>
- myclientserver.onion:descriptor:x25519:3B6CE5X4I4XGXA5TDQWQONLLAJ6B5FQNPTBOFSF4AN6K6AJUXBOQ
+ mymonitoredserver.onion:descriptor:x25519:3B6CE5X4I4XGXA5TDQWQONLLAJ6B5FQNPTBOFSF4AN6K6AJUXBOQ
  </code></pre>
 
  The public_key must be added on the monitored server at the following path: /var/lib/tor/prometheus/authorized_clients/server.auth with the following content<br>
@@ -335,7 +335,19 @@ descriptor:x25519:H7O5I7HUGLFM4IMPHNRN6L4S6TG4KJYDBXTYGOYJOUHH5NXVPJVA
  </code></pre>
 
  That way, only your monitoring server will be able to authenticate and scrape data from your monitored server.
+ <br><br>
+ Grafana has its own authentication system and database, still it reamins a critical service and it's not immune from 0 days and vulnerabilities that could be leveraged to obtain access. In order to apply a <b>defense in depth</b> principle we are going to do the same exercise for it:
 
+ <pre><code class="nim">
+ user@computer$ tor-client-auth-gen 
+private_key=descriptor:x25519:FD7NAZTGZAXA6CTXNXR3JCVSKAPW23EP5EQOUMXKRQCKACEVUJ7A
+public_key=descriptor:x25519:OBIIXC3MWQ4VCEUS7Z6LOMOQG3CFP77SSWE45EDITP55WHVZFM6Q
+ </code></pre>
+
+ We'll put the public key on our monitoring server at /var/lib/tor/grafana/authorized_clients/admin.auth <br>
+ and our public key on our whonix workstation at /var/lib/tor/auth_keys/grafana.auth_private <br>
+ That way, even if an attacker discovers your grafana instance URL and has in their possession either your password or an exploit allowing them to do an authentication bypass
+ they still won't be able to get in unless they also break the encryption underpinning the tor network.
 
 
                     </p>
@@ -349,6 +361,10 @@ descriptor:x25519:H7O5I7HUGLFM4IMPHNRN6L4S6TG4KJYDBXTYGOYJOUHH5NXVPJVA
 	    <div class="container">
 			<div class="row">
 				<div class="col-lg-8 col-lg-offset-2">
+                    <h1> <b>Connecting to our grafana instance</b></h1>
+                    On your monitoring server you can find your hostname at /var/lib/tor/grafana/hostname. Use it in the tor browser to reach your instance. You might be prompted for your private key if tor browser doesn't use your system's tor daemon. To avoid that you can change its connection settings.
+
+                    <h1>
 
           
 	       </div>
@@ -362,6 +378,9 @@ descriptor:x25519:H7O5I7HUGLFM4IMPHNRN6L4S6TG4KJYDBXTYGOYJOUHH5NXVPJVA
 			<div class="row">
 				<div class="col-lg-8 col-lg-offset-2">
 
+                    <h1><b>Conclusion</b></h1>
+                    In this article we saw why and how you need to implement anonymous server monitoring for your infrastructure. If you are running hidden services with any form of sensitive data stored on them, having them under constant monitoring is a must but this monitoring must not compromise your identity or the rest of your infrastructure.
+
           
 	       </div>
 			</div><!-- /row -->