Infrastructure Monitoring Dashboard as a Tor Hidden Service

Infrastructure monitoring dashboards contain operationally sensitive information: server IP addresses and hostnames, service names and versions (useful for targeted vulnerability exploitation), performance baselines (an attacker who knows normal performance can detect anomalies or plan timed attacks), alerting thresholds (knowing when alerts trigger allows attackers to stay just below detection limits), and infrastructure topology (which services depend on which others). A monitoring dashboard leaked to an attacker provides reconnaissance data equivalent to an internal network map. Exposing Grafana or similar on a public port - even with authentication - creates a target for credential brute-force, known authentication vulnerabilities in dashboard software, and information leakage through unauthenticated API endpoints. Running monitoring as a .onion hidden service eliminates the attack surface: no public port, no discoverable IP, no authentication bypass attempts from the internet.

Grafana is the most widely deployed metrics visualization platform. Install Grafana: apt install grafana. Configure /etc/grafana/grafana.ini: set http_addr = 127.0.0.1 (not the default 0.0.0.0 which binds to all interfaces) and http_port = 3000. Configure Tor: HiddenServiceDir /var/lib/tor/monitoring/ and HiddenServicePort 3000 127.0.0.1:3000. Access Grafana via Tor Browser at the .onion URL. Configure dashboards: connect Grafana to Prometheus (running locally on the monitoring server), InfluxDB, or other data sources. For distributed monitoring (monitored servers sending metrics to the Grafana server): Prometheus can scrape metrics from servers via Tor (configure Prometheus to use Tor SOCKS5 proxy for scraping remote targets). Alerting via Grafana: configure alerts to send to a private Telegram bot or email via Tor-accessible SMTP.

Netdata provides real-time, high-resolution system metrics with a built-in dashboard. Install Netdata via the official script. By default, Netdata listens on port 19999. Configure Netdata to listen only on localhost: in /etc/netdata/netdata.conf set bind to = 127.0.0.1 under the [web] section. Configure Tor: HiddenServicePort 19999 127.0.0.1:19999. Access the Netdata dashboard via Tor Browser at the .onion URL. Netdata streaming: configure monitored servers (with Netdata installed) to stream metrics to the central Netdata server via Tor. In the monitored server Netdata configuration: configure the [stream] section with destination = yourcentral.onion:19999 and api key = . The streaming connection uses Tor SOCKS5 proxy (configure proxy_host = 127.0.0.1 and proxy_port = 9050 in Netdata stream configuration).

Uptime Kuma is a self-hosted uptime monitoring tool with a clean dashboard. Install via Docker: docker run -d --restart=always -p 127.0.0.1:3001:3001 louislam/uptime-kuma:1. Configure Tor: HiddenServicePort 3001 127.0.0.1:3001. Uptime Kuma monitors: website availability (HTTP/HTTPS checks), TCP port availability, DNS resolution, Docker container status, and database connections. For monitoring .onion services: Uptime Kuma can monitor .onion addresses if configured to use Tor's SOCKS5 proxy for its HTTP checks. Set SOCKS5 proxy in Uptime Kuma settings (Proxy Management section): add a SOCKS5 proxy at 127.0.0.1:9050 and enable it for monitors that check .onion URLs. This creates a monitoring setup where Uptime Kuma (behind .onion) checks both clearnet and .onion services and presents results via the .onion dashboard.

For organizations with infrastructure in multiple locations: establish a central monitoring server running Grafana + Prometheus + Tor (as .onion hidden service). Deploy Prometheus Node Exporter on each monitored server. Configure Prometheus on the central server to scrape remote Node Exporters via Tor: add to prometheus.yml scrape_configs with proxy_url: socks5://127.0.0.1:9050. This requires each monitored server to expose its Node Exporter as a Tor hidden service (HiddenServicePort 9100 127.0.0.1:9100). The central Prometheus scrapes metrics from each server's .onion:9100 address via Tor. All monitoring traffic routes through Tor - no clearnet connection between monitored servers and the monitoring server. Benefits: the monitoring server's IP is hidden from monitored servers (they see Tor exit IPs), and the monitoring architecture does not create clearnet connections that could be tracked.