summaryrefslogtreecommitdiffstats
path: root/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf')
-rw-r--r--roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf21
1 files changed, 21 insertions, 0 deletions
diff --git a/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf b/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf
new file mode 100644
index 0000000..b34d130
--- /dev/null
+++ b/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf
@@ -0,0 +1,21 @@
+[Unit]
+After=nftables.service
+
+[Service]
+ExecStartPre=
+ExecStart=
+ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start
+
+# Need explicit rights to read logs as we don't grant CAP_DAC_READ_SEARCH
+SupplementaryGroups=adm
+
+# Hardening
+NoNewPrivileges=yes
+ProtectSystem=strict
+RuntimeDirectory=fail2ban
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_NETLINK
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-29 10:09:39 +0000