blob: b34d130e9ef033aeba39089235c2f598836a860c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
[Unit]
After=nftables.service
[Service]
ExecStartPre=
ExecStart=
ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start
# Need explicit rights to read logs as we don't grant CAP_DAC_READ_SEARCH
SupplementaryGroups=adm
# Hardening
NoNewPrivileges=yes
ProtectSystem=strict
RuntimeDirectory=fail2ban
PrivateDevices=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
|
