diff --git a/opsec/anonymous_server_monitoring/index.html b/opsec/anonymous_server_monitoring/index.html
index 2da909e..11f5bd3 100644
--- a/opsec/anonymous_server_monitoring/index.html
+++ b/opsec/anonymous_server_monitoring/index.html
@@ -216,12 +216,15 @@ DataDirectory /var/lib/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
HiddenServiceDir /var/lib/tor/onion/grafana
HiddenServicePort 80 127.0.0.1:2700
+ClientOnionAuthDir /var/lib/tor/auth_keys
And that's all you'll need! one hiddn service for grafana.
You'll find your hostname in /var/lib/tor/onion/grafana/hostname.
Prometheus server configuration
-clean and simple: we scrape our server every 10s for new data, configure a proxy URL so scraping happens over tor, using our socksport and configure ou scraping targets
+clean and simple: we scrape our server every 10s for new data, configure a proxy URL so scraping happens over tor, using our socksport and configure ou scraping targets.
+
+modify the prometheus.yml file (most likely located in /etc/prometheus)
global:
@@ -252,9 +255,52 @@ HiddenServicePort 9002 127.0.0.1:9002
Next, you need to install the prometheus-node-exporter. Depending on your distribution of choice it's very likely it's in your package manager under that name.
- and here is how we will start it in our unit file :
+ and here is how we will start it in our unit file (created in /etc/systemd/system/prometheus-node-exporter.service) :
-prometheus_node_exporter --collector.systemd --web.listen-address 127.0.0.1:9002 --collector.ethtool --collector.softirqs --collector.tcpstat --collector.wifi
+
+[Unit]
+After=network.target
+
+[Service]
+CapabilityBoundingSet=
+DeviceAllow=
+DynamicUser=false
+ExecStart=/bin/node_exporter \
+ --collector.systemd \
+ \
+ --web.listen-address 127.0.0.1:9002 --collector.ethtool --collector.softirqs --collector.tcpstat --collector.wifi
+
+Group=node-exporter
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectClock=false
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+RemoveIPC=true
+Restart=always
+RestrictAddressFamilies=AF_UNIX
+RestrictAddressFamilies=AF_NETLINK
+RestrictAddressFamilies=AF_INET
+RestrictAddressFamilies=AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RuntimeDirectory=prometheus-node-exporter
+SystemCallArchitectures=native
+UMask=0077
+User=node-exporter
+WorkingDirectory=/tmp
+
+[Install]
+WantedBy=multi-user.target
@@ -263,8 +309,34 @@ prometheus_node_exporter --collector.systemd --web.listen-address 127.0.0.1:9002
- collect systemd data (services and so on)
- collect internet throughput data
+ - wifi information
+ - cpu interrupts information
+ And make them available to your server.
+
+ Right now, if an attacker could find your hidden service URL they could harvest this data about your server, you need to secure it by adding a key that will only allow your aggregator to connect
+
+ Let's generate a keypair:
+
+ user@computer$ tor-client-auth-gen
+private_key=descriptor:x25519:3B6CE5X4I4XGXA5TDQWQONLLAJ6B5FQNPTBOFSF4AN6K6AJUXBOQ
+public_key=descriptor:x25519:H7O5I7HUGLFM4IMPHNRN6L4S6TG4KJYDBXTYGOYJOUHH5NXVPJVA
+
+
+ The private_key line must be copied to the following path on your prometheus aggregator: /var/lib/tor/auth_keys/prometheus.auth_private, prepended with your target onion address like this
+
+ myclientserver.onion:descriptor:x25519:3B6CE5X4I4XGXA5TDQWQONLLAJ6B5FQNPTBOFSF4AN6K6AJUXBOQ
+
+
+ The public_key must be added on the monitored server at the following path: /var/lib/tor/prometheus/authorized_clients/server.auth with the following content
+
+descriptor:x25519:H7O5I7HUGLFM4IMPHNRN6L4S6TG4KJYDBXTYGOYJOUHH5NXVPJVA
+
+
+ That way, only your monitoring server will be able to authenticate and scrape data from your monitored server.
+
+