oxeo0/blog-contributions
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions.git synced 2025-07-02 11:56:40 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

add monitoring server configuration and start describing onion client auth setup

Browse source
This commit is contained in:
midas 2025-02-18 21:01:12 +01:00
parent 460bfb52a4
commit ecd7ebd089
1 changed files with 75 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

78
opsec/anonymous_server_monitoring/index.html
View file

@ -216,12 +216,15 @@ DataDirectory /var/lib/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr SOCKSPort 127.0.0.1:9050 IsolateDestAddr
HiddenServiceDir /var/lib/tor/onion/grafana HiddenServiceDir /var/lib/tor/onion/grafana
HiddenServicePort 80 127.0.0.1:2700 HiddenServicePort 80 127.0.0.1:2700
ClientOnionAuthDir /var/lib/tor/auth_keys
</code></pre> </code></pre>
And that's all you'll need! one hiddn service for grafana. <br> You'll find your hostname in /var/lib/tor/onion/grafana/hostname. And that's all you'll need! one hiddn service for grafana. <br> You'll find your hostname in /var/lib/tor/onion/grafana/hostname.
<h2>Prometheus server configuration</h2> <h2>Prometheus server configuration</h2>
clean and simple: we scrape our server every 10s for new data, configure a proxy URL so scraping happens over tor, using our socksport and configure ou scraping targets clean and simple: we scrape our server every 10s for new data, configure a proxy URL so scraping happens over tor, using our socksport and configure ou scraping targets.
<br>
modify the prometheus.yml file (most likely located in /etc/prometheus)
<pre><code class="nim"> <pre><code class="nim">
global: global:
@ -252,9 +255,52 @@ HiddenServicePort 9002 127.0.0.1:9002
Next, you need to install the prometheus-node-exporter. Depending on your distribution of choice it's very likely it's in your package manager under that name. Next, you need to install the prometheus-node-exporter. Depending on your distribution of choice it's very likely it's in your package manager under that name.
<br> <br>
and here is how we will start it in our unit file : <br> and here is how we will start it in our unit file (created in /etc/systemd/system/prometheus-node-exporter.service) : <br>
<pre><code class="nim"> <pre><code class="nim">
prometheus_node_exporter --collector.systemd --web.listen-address 127.0.0.1:9002 --collector.ethtool --collector.softirqs --collector.tcpstat --collector.wifi
[Unit]
After=network.target
[Service]
CapabilityBoundingSet=
DeviceAllow=
DynamicUser=false
ExecStart=/bin/node_exporter \
--collector.systemd \
\
--web.listen-address 127.0.0.1:9002 --collector.ethtool --collector.softirqs --collector.tcpstat --collector.wifi
Group=node-exporter
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectClock=false
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
RemoveIPC=true
Restart=always
RestrictAddressFamilies=AF_UNIX
RestrictAddressFamilies=AF_NETLINK
RestrictAddressFamilies=AF_INET
RestrictAddressFamilies=AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
RuntimeDirectory=prometheus-node-exporter
SystemCallArchitectures=native
UMask=0077
User=node-exporter
WorkingDirectory=/tmp
[Install]
WantedBy=multi-user.target
</code></pre> </code></pre>
<br> <br>
@ -263,8 +309,34 @@ prometheus_node_exporter --collector.systemd --web.listen-address 127.0.0.1:9002
<ul> <ul>
<li> collect systemd data (services and so on)</li> <li> collect systemd data (services and so on)</li>
<li> collect internet throughput data</li> <li> collect internet throughput data</li>
<li> wifi information</li>
<li> cpu interrupts information </li>
</ul> </ul>
And make them available to your server.
<br><br>
<b>Right now, if an attacker could find your hidden service URL they could harvest this data about your server, you need to secure it by adding a key that will only allow your aggregator to connect</b><br>
Let's generate a keypair:
<pre><code class="nim">
user@computer$ tor-client-auth-gen
private_key=descriptor:x25519:3B6CE5X4I4XGXA5TDQWQONLLAJ6B5FQNPTBOFSF4AN6K6AJUXBOQ
public_key=descriptor:x25519:H7O5I7HUGLFM4IMPHNRN6L4S6TG4KJYDBXTYGOYJOUHH5NXVPJVA
</code></pre>
The private_key line must be copied to the following path on your prometheus aggregator: /var/lib/tor/auth_keys/prometheus.auth_private, prepended with your target onion address like this<br>
<pre><code>
myclientserver.onion:descriptor:x25519:3B6CE5X4I4XGXA5TDQWQONLLAJ6B5FQNPTBOFSF4AN6K6AJUXBOQ
</code></pre>
The public_key must be added on the monitored server at the following path: /var/lib/tor/prometheus/authorized_clients/server.auth with the following content<br>
<pre><code>
descriptor:x25519:H7O5I7HUGLFM4IMPHNRN6L4S6TG4KJYDBXTYGOYJOUHH5NXVPJVA
</code></pre>
That way, only your monitoring server will be able to authenticate and scrape data from your monitored server.
</p> </p>