fail2ban: Harden service
This hardens the fail2ban service by giving it only the capabilities and read/write access it needs. This is done in accordance to the Arch Wiki article [1] where further information about the needed capabilities and read/write paths can be found. [1] https://wiki.archlinux.org/title/Fail2ban#Service_hardening
This commit is contained in:
parent
8caa2909f1
commit
d822f8544d
3 changed files with 55 additions and 0 deletions
|
|
@ -23,6 +23,24 @@
|
||||||
state: "{{ fail2ban_package_state }}"
|
state: "{{ fail2ban_package_state }}"
|
||||||
become: true
|
become: true
|
||||||
|
|
||||||
|
- name: Create fail2ban logging directory.
|
||||||
|
file:
|
||||||
|
path: "/var/log/fail2ban"
|
||||||
|
state: directory
|
||||||
|
mode: '0700'
|
||||||
|
owner: 'root'
|
||||||
|
group: 'root'
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Create fail2ban systemd drop-in directory.
|
||||||
|
file:
|
||||||
|
path: "/etc/systemd/system/fail2ban.service.d"
|
||||||
|
state: directory
|
||||||
|
mode: '0755'
|
||||||
|
owner: 'root'
|
||||||
|
group: 'root'
|
||||||
|
become: true
|
||||||
|
|
||||||
- name: Deploy fail2ban jail config.
|
- name: Deploy fail2ban jail config.
|
||||||
template:
|
template:
|
||||||
src: "jail.local.j2"
|
src: "jail.local.j2"
|
||||||
|
|
@ -33,6 +51,26 @@
|
||||||
notify: restart fail2ban service
|
notify: restart fail2ban service
|
||||||
become: true
|
become: true
|
||||||
|
|
||||||
|
- name: Deploy fail2ban config.
|
||||||
|
template:
|
||||||
|
src: "fail2ban.local.j2"
|
||||||
|
dest: "/etc/fail2ban/fail2ban.local"
|
||||||
|
mode: '0644'
|
||||||
|
owner: 'root'
|
||||||
|
group: 'root'
|
||||||
|
notify: restart fail2ban service
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Deploy fail2ban hardening systemd drop-in.
|
||||||
|
template:
|
||||||
|
src: override.conf.j2
|
||||||
|
dest: /etc/systemd/system/fail2ban.service.d/override.conf
|
||||||
|
mode: '0644'
|
||||||
|
owner: 'root'
|
||||||
|
group: 'root'
|
||||||
|
notify: restart fail2ban service
|
||||||
|
become: true
|
||||||
|
|
||||||
- name: Ensure fail2ban service is enabled and started.
|
- name: Ensure fail2ban service is enabled and started.
|
||||||
service:
|
service:
|
||||||
name: fail2ban
|
name: fail2ban
|
||||||
|
|
|
||||||
4
roles/fail2ban/templates/fail2ban.local.j2
Normal file
4
roles/fail2ban/templates/fail2ban.local.j2
Normal file
|
|
@ -0,0 +1,4 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
logtarget = /var/log/fail2ban/fail2ban.log
|
||||||
13
roles/fail2ban/templates/override.conf.j2
Normal file
13
roles/fail2ban/templates/override.conf.j2
Normal file
|
|
@ -0,0 +1,13 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
PrivateDevices=yes
|
||||||
|
PrivateTmp=yes
|
||||||
|
ProtectHome=read-only
|
||||||
|
ProtectSystem=strict
|
||||||
|
ReadWritePaths=-/var/run/fail2ban
|
||||||
|
ReadWritePaths=-/var/lib/fail2ban
|
||||||
|
ReadWritePaths=-/var/log/fail2ban
|
||||||
|
ReadWritePaths=-/var/spool/postfix/maildrop
|
||||||
|
ReadWritePaths=-/run/xtables.lock
|
||||||
|
CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
|
||||||
Loading…
Add table
Reference in a new issue