foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-01-31 10:58:02 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

hosts/plover: update Bind hardening settings

Browse Source
This commit is contained in:
Gabriel Arazas 2023-06-28 14:01:02 +08:00
parent a362607c9c
commit 8043b8d16c
No known key found for this signature in database
GPG Key ID: ADE0C41DAB221FCC
1 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
hosts/plover/modules/services/bind.nix
View File

@ -174,6 +174,12 @@ in
"/etc/bind"
];
# Set up writable directories.
RuntimeDirectory = "named";
RuntimeDirectoryMode = "0750";
CacheDirectory = "named";
CacheDirectoryMode = "0750";
# Filtering system calls.
SystemCallFilter = [ "@system-service" ];
SystemCallErrorNumber = "EPERM";
@ -184,6 +190,7 @@ in
CapabilityBoundingSet = [
"CAP_NET_BIND_SERVICE"
"CAP_NET_RAW"
"CAP_CHOWN"
"CAP_SYS_CHROOT"
];
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
@ -198,7 +205,7 @@ in
];
# Restricting what namespaces it can create.
RestrictNamespaces = [ "network" "pid" ];
RestrictNamespaces = true;
};
};
@ -209,4 +216,12 @@ in
];
allowedTCPPorts = [ 53 853 ];
};
# Set up a fail2ban which is apparently already available in the package.
services.fail2ban.jails."named-refused" = ''
enabled = true
backend = systemd
filter = named-refused[journalmatch='_SYSTEMD_UNIT=bind.service']
maxretry = 3
'';
}