Configure the sentry context on the Pi
You now need to be able to control the sentry’s root user from the
Raspberry Pi’s pi user over SSH.
---
title: The Docker admin controls all Docker servers over SSH including itself
---
graph TD;
classDef dottedBox stroke-dasharray: 5 5;
Workstation[Personal Workstation] -->|admin via SSH| RaspberryPi[Raspberry Pi - Docker admin]
RaspberryPi -->|admin self via SSH localhost| RaspberryPi
RaspberryPi .->|admin via SSH| Docker2[Docker 2]
RaspberryPi .->|admin via SSH| Docker3[Docker 3, etc.]
RaspberryPi -->|admin via SSH| Sentry[Sentry]
class Docker2 dottedBox;
class Docker3 dottedBox;
You may want to share a single sentry among several Docker servers at various locations, and this is supported, but you should designate only one machine as the main configuration point (Docker admin) for all other contexts. In this example, the Raspberry Pi is the Docker admin who controls all of your Docker servers, including the sentry and itself.
--- title: A single sentry can proxy for several private Docker servers connected to the same VPN --- graph TD; WebBrowser["Web Browser client 1"] -->|TLS/TCP/UDP from the Internet| Sentry TCPClient["TCP client 1"] -->|TLS/TCP/UDP from the Internet| Sentry["Sentry - Public VPS"] Sentry .->|Layer 4/7 proxy protocol over Wireguard| Docker2["Docker2"] Sentry -->|Layer 4/7 proxy protocol over Wireguard| RaspberryPi["Raspberry Pi - Docker admin"] Sentry .->|Layer 4/7 proxy protocol over Wireguard| Docker3["Docker3"] style Docker2 stroke-dasharray: 5, 5 style Docker3 stroke-dasharray: 5, 5
Add the sentry context on the Pi
d.rymcg.tech context new
? This command can help create a new SSH config and Docker context. Proceed? (Y/n) y
? You must specify the SSH config entry to use
I already have an SSH host entry in ~/.ssh/config that I want to use
> I want to make a new SSH host entry in ~/.ssh/config
? Enter the new SSH context name (short host name) : sentry
? Enter the fully qualified SSH Host DNS name : sentry.example.com
## Here is the new SSH config entry:
Host sentry
Hostname sentry.example.com
User root
ControlMaster auto
ControlPersist yes
ControlPath /tmp/ssh-%u-%r@%h:%p
? Do you want to append this config to ~/.ssh/config? (y/N) y
? Do you want to switch to the new sentry context now? (y/N) n
You can examine the list of your contexts, which you should have three by now:
d.rymcg.tech context list
NAME DESCRIPTION DOCKER ENDPOINT ERROR default * Current DOCKER_HOST based configuration unix:///var/run/docker.sock localhost ssh://localhost sentry Created by 'd.rymcg.tech context new' ssh://sentry
defaultis the default context created by Docker itself when it is installed. This context is not used by this configuration.localhostis the SSH context of the sworkstation over localhost. This is the main context this configuration uses to configure your applications.sentryis the SSH context of the sentry server, entirely remote controlled from the Pi.
The * next to the default context indicates the current context of
the docker command. But since you will be using the context aliases
pi and sentry, you won’t be using the docker command directly,
so the * can be ignored.
Test the connection from the Pi to the sentry
ssh sentry whoami
The first time you connect, you must confirm the host fingerprint (type yes):
The authenticity of host 'sentry' can't be established. ED25519 key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
On the final line, it will print the output of the command you
requested, which should print the username root :
root
Create a new Docker context for the sentry
d context new
? This command can help create a new SSH config and Docker context. Proceed? (Y/n) y ? You must specify the SSH config entry to use > I already have an SSH host entry in ~/.ssh/config that I want to use I want to make a new SSH host entry in ~/.ssh/config ? Choose an existing SSH Host config pi > sentry > Do you want to switch to the new sentry context now? Yes
Install Docker on the sentry
sentry install-docker
? This will install Docker on the host of your remote Docker context.. Proceed? Yes
Test the docker context is functional
d tmp-context sentry docker info | grep Context
Context: sentry
You should now have two configured Docker contexts on your Pi:
pisentry
You can switch between these two contexts using d context. The
currently selected context specifies which Docker server is currently
being operated on.
Configure Fail2Ban
Fail2Ban scans log files and temporarily bans IP addresses that have too many authentication attempts. Fail2Ban can be configured to monitor the host SSH server and the Traefik access log, each with configurable rules.
Configure Fail2Ban via the root context env file:
## Save config in $HOME/git/vendor/enigmacurry/d.rymcg.tech/.env_$CONTEXT
sentry reconfigure var=FAIL2BAN_ENABLED=true
sentry reconfigure var=FAIL2BAN_IGNORE_IP=
sentry reconfigure var=FAIL2BAN_SSHD_ENABLED=true
sentry reconfigure var=FAIL2BAN_SSHD_MAX_RETRY=2
sentry reconfigure var=FAIL2BAN_SSHD_BAN_TIME=10m
sentry reconfigure var=FAIL2BAN_SSHD_FIND_TIME=10m
sentry reconfigure var=FAIL2BAN_SSHD_ALLOW_IPV6=true
sentry reconfigure var=FAIL2BAN_TRAEFIK_ACCESS_ENABLED=true
sentry reconfigure var=FAIL2BAN_TRAEFIK_ACCESS_ERROR_LIST=400,403,405,407,429,431
sentry reconfigure var=FAIL2BAN_TRAEFIK_ACCESS_MAX_RETRY=5
sentry reconfigure var=FAIL2BAN_TRAEFIK_ACCESS_BAN_TIME=10m
sentry reconfigure var=FAIL2BAN_TRAEFIK_ACCESS_FIND_TIME=10m
sentry reconfigure var=FAIL2BAN_TRAEFIK_ACCESS_ALLOW_IPV6=true
If you want to make sure your current IP address does not get banned, add it to the default ignore list:
sentry reconfigure var=FAIL2BAN_IGNORE_IP=$(curl ifconfig.me)/32
The IP ranges for localhost (127.0.0.1/8) and the Traefik wireguard
VPN (by default 10.13.16.0/24) are added to this ignore list
automatically. You don’t need to add these ones yourself.
Re-install Fail2Ban:
sentry fail2ban
? This will ENABLE and reset Fail2Ban using your config for context sentry. Proceed? (Y/n) y ? The Traefik access log must be enabled.. Proceed? (Y/n) y