From ee4e9e9836ad05279647b04eb1e8a3a4b0e16568 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Thu, 23 Jan 2020 05:33:17 +0100
Subject: Improve/harden fail2ban configuration.

 * Use nftables sets with a timeout
 * Start daemon with a hardened unit file and restricted Capability
   Bounding Set.  (This requires to change the log path to
   /var/log/fail2ban/*.)
 * Skip database as we don't care about persistence.
 * Refactor jail.local
---
 .../systemd/system/fail2ban.service.d/override.conf    | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf

(limited to 'roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf')

diff --git a/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf b/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf
new file mode 100644
index 0000000..e3e651f
--- /dev/null
+++ b/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf
@@ -0,0 +1,18 @@
+[Unit]
+After=nftables.service
+
+[Service]
+# Need explicit rights to read logs as we don't grant CAP_DAC_READ_SEARCH
+SupplementaryGroups=adm
+
+# Hardening
+NoNewPrivileges=yes
+ProtectSystem=strict
+ReadWriteDirectories=/var/log/fail2ban
+RuntimeDirectory=fail2ban
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_NETLINK
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
-- 
cgit v1.2.3