Author: btro

Posted on(Updated: June 3, 2025)

Docker Swarm mode, target/published

I am using Docker Swarm mode on my VPS solely for the purpose of using docker secrets.
The purpose of using docker secrets (limited with swarm mode) is obviously to not have any sensitive data on the localhost. With that said, I wanted to go outside the swarm network and directly bind ports to the host’s network.

Example docker-compose.yml as follows:

services:
    btc_mongodb:
        image: mongo:8.0.9-noble
        deploy:
            restart_policy:
                condition: any
                delay: 5s
                max_attempts: 3
                window: 120s
        environment:
            MONGO_INITDB_ROOT_USERNAME_FILE: /run/secrets/mongo_root_username
            MONGO_INITDB_ROOT_PASSWORD_FILE: /run/secrets/mongo_root_password
        ports:
            - target: 27017
              published: 27017
              protocol: tcp
              mode: host
        command: ["mongod", "--bind_ip", "0.0.0.0", "--maxConns", "10000"]
        volumes:
            - db:/data/db
        secrets:
            - mongo_root_username
            - mongo_root_password
        networks:
            - mongodb_network
        healthcheck:
            test: ["CMD", "mongosh", "--eval", "db.adminCommand('ping')"]
            interval: 30s
            timeout: 10s
            retries: 3

networks:
    mongodb_network:
        driver: overlay
        attachable: true

volumes:
    db:
        name: mongodb

secrets:
    mongo_root_username:
        external: true
    mongo_root_password:
        external: true

# The following snippet is the port settings to directly link with the host

        ports:
            - target: 27017
              published: 27017
              protocol: tcp
              mode: host
Posted on(Updated: May 26, 2025)

Settings up fail2ban with firewalld (sshd)

The best solution to counter brute force attacks would to maintaining a allowed list of static IPs + limiting ssh access to ssh key pairs. This was the plan until I wanted to use Github actions to remote into my server. I decided to counter the ssh brute force attacks with fail2ban.

---1 install package
dnf install fail2ban

---2 enable service and check status
systemctl enable fail2ban
systemctl start fail2ban
systemctl status fail2ban

---3 setup configuration file (/etc/fail2ban/jail.local)
----- Change values accordingly. action= is taken from the conf 
----- action templates from (/etc/fail2ban/action.d/)

/etc/fail2ban # cat jail.local
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
maxretry = 3
# 3600 1 hour
findtime = 3600
#bantime = 3600
bantime = 604800
action = firewallcmd-rich-rules[blocktype=reject, protocol=tcp]

---4 restart fail2ban
systemctl restart fail2ban
systemctl status fail2ban



You could manually test ban/unban to see check if firewall rules have changed.

fail2ban-client set sshd banip IPADDRESS
fail2ban-client set sshd unbanip IPADDRESS
firewall-cmd --list-rich-rules
Posted on

Setup ssh key for git or other services

— I used keychain for the ssh-agent wrapper to load key. (dnf install keychain)
1.) Create ssh key pair.
2.) Add ssh pub key to your github’s “SSH and GPG keys” (.pub file) Configure permission settings as needed.
3.) Test github connection using the ssh key you’ve created earlier.
4.) Edit your .bashrc file to have your session load the key everytime you login.
(Not secure to store key locally, but the way I see it, you are toast if you’re system has been hacked.)
5.) Login and check if keychain is loaded and github connection is working properly.

1.) ssh-keygen to create ssh key pair.

btro@~/.ssh $ ssh-keygen -t ed25519 -C "test@test.com"
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/btro/.ssh/id_ed25519): test_ed25519
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in test_ed25519
Your public key has been saved in test_ed25519.pub
The key fingerprint is:
SHA256:mYiX0FNr4dKdwRHNYbW/uk8Nzoy9n9pKQklTuKZk0po test@test.com
The key's randomart image is:
+--[ED25519 256]--+
|        o.+=++.  |
|     . + +.=+  . |
|    . + * oo. .  |
|     o B *.oo  . |
|    . + S oo  . .|
|     . E ..  * .o|
|           ...=o.|
|            o +..|
|             =*=.|
+----[SHA256]-----+

btro@~/.ssh $ ls | grep test
test_ed25519
test_ed25519.pub

2.) Go to your “Settings” and “SSH and GPG keys” and add new SSH Key. Choose the .pub file you created in step 1.

3.) Once you’ve set your .pub file, test the connections from your host to github.

btro@~/.ssh $ ssh -i ./test_ed25519 git@github.com
PTY allocation request failed on channel 0
Hi! You've successfully authenticated, but GitHub does not provide shell access.

4.) For persistent ssh key loading to your ssh-agent, add the following to your .bashrc’s end of file.

btro@~ $ cat .bashrc | grep eval
eval `keychain --eval --agents ssh ~/.ssh/test_ed25519`

5.) Logout and log back in to your host, and confirm “ssh git@github.com” is responsive with the same results of step 3.