summaryrefslogtreecommitdiffstats
path: root/roles/common/files/etc/systemd
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-01-23 05:33:17 +0100
committerGuilhem Moulin <guilhem@fripost.org>2020-01-25 01:57:05 +0100
commitee4e9e9836ad05279647b04eb1e8a3a4b0e16568 (patch)
treed4e566a7b535f7d62e4fd6fd1a521ea6d7563d21 /roles/common/files/etc/systemd
parent7641a5d5d152db349082b1d0ec93a40888b2ef8e (diff)
Improve/harden fail2ban configuration.
* Use nftables sets with a timeout * Start daemon with a hardened unit file and restricted Capability Bounding Set. (This requires to change the log path to /var/log/fail2ban/*.) * Skip database as we don't care about persistence. * Refactor jail.local
Diffstat (limited to 'roles/common/files/etc/systemd')
-rw-r--r--roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf18
1 files changed, 18 insertions, 0 deletions
diff --git a/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf b/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf
new file mode 100644
index 0000000..e3e651f
--- /dev/null
+++ b/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf
@@ -0,0 +1,18 @@
+[Unit]
+After=nftables.service
+
+[Service]
+# Need explicit rights to read logs as we don't grant CAP_DAC_READ_SEARCH
+SupplementaryGroups=adm
+
+# Hardening
+NoNewPrivileges=yes
+ProtectSystem=strict
+ReadWriteDirectories=/var/log/fail2ban
+RuntimeDirectory=fail2ban
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_NETLINK
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW