diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2020-01-23 05:33:17 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2020-01-25 01:57:05 +0100 |
commit | ee4e9e9836ad05279647b04eb1e8a3a4b0e16568 (patch) | |
tree | d4e566a7b535f7d62e4fd6fd1a521ea6d7563d21 /roles/common/files/etc/systemd | |
parent | 7641a5d5d152db349082b1d0ec93a40888b2ef8e (diff) |
Improve/harden fail2ban configuration.
* Use nftables sets with a timeout
* Start daemon with a hardened unit file and restricted Capability
Bounding Set. (This requires to change the log path to
/var/log/fail2ban/*.)
* Skip database as we don't care about persistence.
* Refactor jail.local
Diffstat (limited to 'roles/common/files/etc/systemd')
-rw-r--r-- | roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf b/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf new file mode 100644 index 0000000..e3e651f --- /dev/null +++ b/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf @@ -0,0 +1,18 @@ +[Unit] +After=nftables.service + +[Service] +# Need explicit rights to read logs as we don't grant CAP_DAC_READ_SEARCH +SupplementaryGroups=adm + +# Hardening +NoNewPrivileges=yes +ProtectSystem=strict +ReadWriteDirectories=/var/log/fail2ban +RuntimeDirectory=fail2ban +PrivateDevices=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_NETLINK +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW |