foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-02-07 12:19:07 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

hosts/plover: update Bind hardening settings

Browse Source
This commit is contained in:
Gabriel Arazas 2023-06-28 14:01:02 +08:00
parent a362607c9c
commit 8043b8d16c
No known key found for this signature in database
GPG Key ID: ADE0C41DAB221FCC
1 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
hosts/plover/modules/services/bind.nix
View File

@ -174,6 +174,12 @@ in
"/etc/bind" "/etc/bind"
]; ];
# Set up writable directories.
RuntimeDirectory = "named";
RuntimeDirectoryMode = "0750";
CacheDirectory = "named";
CacheDirectoryMode = "0750";
# Filtering system calls. # Filtering system calls.
SystemCallFilter = [ "@system-service" ]; SystemCallFilter = [ "@system-service" ];
SystemCallErrorNumber = "EPERM"; SystemCallErrorNumber = "EPERM";
@ -184,6 +190,7 @@ in
CapabilityBoundingSet = [ CapabilityBoundingSet = [
"CAP_NET_BIND_SERVICE" "CAP_NET_BIND_SERVICE"
"CAP_NET_RAW" "CAP_NET_RAW"
"CAP_CHOWN"
"CAP_SYS_CHROOT" "CAP_SYS_CHROOT"
]; ];
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
@ -198,7 +205,7 @@ in
]; ];
# Restricting what namespaces it can create. # Restricting what namespaces it can create.
RestrictNamespaces = [ "network" "pid" ]; RestrictNamespaces = true;
}; };
}; };
@ -209,4 +216,12 @@ in
]; ];
allowedTCPPorts = [ 53 853 ]; allowedTCPPorts = [ 53 853 ];
}; };
# Set up a fail2ban which is apparently already available in the package.
services.fail2ban.jails."named-refused" = ''
enabled = true
backend = systemd
filter = named-refused[journalmatch='_SYSTEMD_UNIT=bind.service']
maxretry = 3
'';
} }