summaryrefslogtreecommitdiffstats
path: root/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf
blob: e3e651fcdc69c456842f2d948714da46a3ccc185 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[Unit]
After=nftables.service

[Service]
# Need explicit rights to read logs as we don't grant CAP_DAC_READ_SEARCH
SupplementaryGroups=adm

# Hardening
NoNewPrivileges=yes
ProtectSystem=strict
ReadWriteDirectories=/var/log/fail2ban
RuntimeDirectory=fail2ban
PrivateDevices=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW