fail2ban: Harden service (!401) · Merge requests · saibotk.de / Infrastructure

histalek requested to merge histalek/infrastructure-saibotk:master into master Dec 05, 2021

This hardens the fail2ban service by giving it only the capabilities and read/write access it needs.

This is done in accordance to the Arch Wiki article [1] where further information about the needed capabilities and read/write paths can be found.

[1] https://wiki.archlinux.org/title/Fail2ban#Service_hardening

NOTE: I've only tested my own revision [2] of this on Fedora 35. As i'm using the ansible.builtin.systemd module instead of the ansible.builtin.service YMMV.

~~Also the systemd module needs daemon_reload: true to pick up the changes to service files. Maybe the service module does this automatically, maybe not.~~

[2] https://git.histalek.de/histalek-de/infrastructure/-/commit/012d5b8f2c88312ad8773ae701852e4a41deb1be

Edited Dec 05, 2021 by histalek

fail2ban: Harden service

Merge request reports