mirror of
http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions.git
synced 2025-07-02 06:46:42 +00:00
add monitoring server configuration and start describing onion client auth setup
This commit is contained in:
midas
parent
460bfb52a4
commit
ecd7ebd089
1 changed files with 75 additions and 3 deletions
|
|
@ -216,12 +216,15 @@ DataDirectory /var/lib/tor
|
|||
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
|
||||
HiddenServiceDir /var/lib/tor/onion/grafana
|
||||
HiddenServicePort 80 127.0.0.1:2700
|
||||
ClientOnionAuthDir /var/lib/tor/auth_keys
|
||||
</code></pre>
|
||||
|
||||
And that's all you'll need! one hiddn service for grafana. <br> You'll find your hostname in /var/lib/tor/onion/grafana/hostname.
|
||||
|
||||
<h2>Prometheus server configuration</h2>
|
||||
clean and simple: we scrape our server every 10s for new data, configure a proxy URL so scraping happens over tor, using our socksport and configure ou scraping targets
|
||||
clean and simple: we scrape our server every 10s for new data, configure a proxy URL so scraping happens over tor, using our socksport and configure ou scraping targets.
|
||||
<br>
|
||||
modify the prometheus.yml file (most likely located in /etc/prometheus)
|
||||
|
||||
<pre><code class="nim">
|
||||
global:
|
||||
|
|
@ -252,9 +255,52 @@ HiddenServicePort 9002 127.0.0.1:9002
|
|||
Next, you need to install the prometheus-node-exporter. Depending on your distribution of choice it's very likely it's in your package manager under that name.
|
||||
<br>
|
||||
|
||||
and here is how we will start it in our unit file : <br>
|
||||
and here is how we will start it in our unit file (created in /etc/systemd/system/prometheus-node-exporter.service) : <br>
|
||||
<pre><code class="nim">
|
||||
prometheus_node_exporter --collector.systemd --web.listen-address 127.0.0.1:9002 --collector.ethtool --collector.softirqs --collector.tcpstat --collector.wifi
|
||||
|
||||
[Unit]
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
CapabilityBoundingSet=
|
||||
DeviceAllow=
|
||||
DynamicUser=false
|
||||
ExecStart=/bin/node_exporter \
|
||||
--collector.systemd \
|
||||
\
|
||||
--web.listen-address 127.0.0.1:9002 --collector.ethtool --collector.softirqs --collector.tcpstat --collector.wifi
|
||||
|
||||
Group=node-exporter
|
||||
LockPersonality=true
|
||||
MemoryDenyWriteExecute=true
|
||||
NoNewPrivileges=true
|
||||
PrivateDevices=true
|
||||
PrivateTmp=true
|
||||
ProtectClock=false
|
||||
ProtectControlGroups=true
|
||||
ProtectHome=true
|
||||
ProtectHostname=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectSystem=strict
|
||||
RemoveIPC=true
|
||||
Restart=always
|
||||
RestrictAddressFamilies=AF_UNIX
|
||||
RestrictAddressFamilies=AF_NETLINK
|
||||
RestrictAddressFamilies=AF_INET
|
||||
RestrictAddressFamilies=AF_INET6
|
||||
RestrictNamespaces=true
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
RuntimeDirectory=prometheus-node-exporter
|
||||
SystemCallArchitectures=native
|
||||
UMask=0077
|
||||
User=node-exporter
|
||||
WorkingDirectory=/tmp
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
</code></pre>
|
||||
|
||||
<br>
|
||||
|
|
@ -263,8 +309,34 @@ prometheus_node_exporter --collector.systemd --web.listen-address 127.0.0.1:9002
|
|||
<ul>
|
||||
<li> collect systemd data (services and so on)</li>
|
||||
<li> collect internet throughput data</li>
|
||||
<li> wifi information</li>
|
||||
<li> cpu interrupts information </li>
|
||||
</ul>
|
||||
|
||||
And make them available to your server.
|
||||
<br><br>
|
||||
<b>Right now, if an attacker could find your hidden service URL they could harvest this data about your server, you need to secure it by adding a key that will only allow your aggregator to connect</b><br>
|
||||
|
||||
Let's generate a keypair:
|
||||
<pre><code class="nim">
|
||||
user@computer$ tor-client-auth-gen
|
||||
private_key=descriptor:x25519:3B6CE5X4I4XGXA5TDQWQONLLAJ6B5FQNPTBOFSF4AN6K6AJUXBOQ
|
||||
public_key=descriptor:x25519:H7O5I7HUGLFM4IMPHNRN6L4S6TG4KJYDBXTYGOYJOUHH5NXVPJVA
|
||||
</code></pre>
|
||||
|
||||
The private_key line must be copied to the following path on your prometheus aggregator: /var/lib/tor/auth_keys/prometheus.auth_private, prepended with your target onion address like this<br>
|
||||
<pre><code>
|
||||
myclientserver.onion:descriptor:x25519:3B6CE5X4I4XGXA5TDQWQONLLAJ6B5FQNPTBOFSF4AN6K6AJUXBOQ
|
||||
</code></pre>
|
||||
|
||||
The public_key must be added on the monitored server at the following path: /var/lib/tor/prometheus/authorized_clients/server.auth with the following content<br>
|
||||
<pre><code>
|
||||
descriptor:x25519:H7O5I7HUGLFM4IMPHNRN6L4S6TG4KJYDBXTYGOYJOUHH5NXVPJVA
|
||||
</code></pre>
|
||||
|
||||
That way, only your monitoring server will be able to authenticate and scrape data from your monitored server.
|
||||
|
||||
|
||||
|
||||
</p>
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue