infrastructure/roles/fail2ban/templates/override.conf.j2

{{ ansible_managed | comment }}

[Service]
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=read-only
ProtectSystem=strict
ReadWritePaths=-/var/run/fail2ban
ReadWritePaths=-/var/lib/fail2ban
ReadWritePaths=-/var/log/fail2ban
ReadWritePaths=-/var/spool/postfix/maildrop
ReadWritePaths=-/run/xtables.lock
CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
fail2ban: Harden service This hardens the fail2ban service by giving it only the capabilities and read/write access it needs. This is done in accordance to the Arch Wiki article [1] where further information about the needed capabilities and read/write paths can be found. [1] https://wiki.archlinux.org/title/Fail2ban#Service_hardening 2021-12-05 14:22:51 +01:00			`{{ ansible_managed \| comment }}`

			`[Service]`
			`PrivateDevices=yes`
			`PrivateTmp=yes`
			`ProtectHome=read-only`
			`ProtectSystem=strict`
			`ReadWritePaths=-/var/run/fail2ban`
			`ReadWritePaths=-/var/lib/fail2ban`
			`ReadWritePaths=-/var/log/fail2ban`
			`ReadWritePaths=-/var/spool/postfix/maildrop`
			`ReadWritePaths=-/run/xtables.lock`
			`CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW`