Improve/harden fail2ban configuration.

* Use nftables sets with a timeout * Start daemon with a hardened unit file and restricted Capability Bounding Set. (This requires to change the log path to /var/log/fail2ban/*.) * Skip database as we don't care about persistence. * Refactor jail.local
author: Guilhem Moulin <guilhem@fripost.org> 2020-01-23 05:33:17 +0100
committer: Guilhem Moulin <guilhem@fripost.org> 2020-01-25 01:57:05 +0100
commit: ee4e9e9836ad05279647b04eb1e8a3a4b0e16568 (patch)
tree: d4e566a7b535f7d62e4fd6fd1a521ea6d7563d21 /roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf
parent: 7641a5d5d152db349082b1d0ec93a40888b2ef8e (diff)
1 files changed, 18 insertions, 0 deletions
diff --git a/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf b/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf
new file mode 100644
index 0000000..e3e651f
--- /dev/null
+++ b/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf
@@ -0,0 +1,18 @@
+[Unit]
+After=nftables.service
+
+[Service]
+# Need explicit rights to read logs as we don't grant CAP_DAC_READ_SEARCH
+SupplementaryGroups=adm
+
+# Hardening
+NoNewPrivileges=yes
+ProtectSystem=strict
+ReadWriteDirectories=/var/log/fail2ban
+RuntimeDirectory=fail2ban
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_NETLINK
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
author	Guilhem Moulin <guilhem@fripost.org>	2020-01-23 05:33:17 +0100
committer	Guilhem Moulin <guilhem@fripost.org>	2020-01-25 01:57:05 +0100
commit	ee4e9e9836ad05279647b04eb1e8a3a4b0e16568 (patch)
tree	d4e566a7b535f7d62e4fd6fd1a521ea6d7563d21 /roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf
parent	7641a5d5d152db349082b1d0ec93a40888b2ef8e (diff)