From 6adfb647ff3cd3c7bb00b68dafe79eec8786df3e Mon Sep 17 00:00:00 2001 From: Rob Vermaas Date: Thu, 25 Jul 2013 20:03:29 +0200 Subject: [PATCH] Limit the capabilities of what fail2ban service can do. Taken from ArchLinux wiki. --- modules/services/security/fail2ban.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/services/security/fail2ban.nix b/modules/services/security/fail2ban.nix index 258a2d79163..a232d18a572 100644 --- a/modules/services/security/fail2ban.nix +++ b/modules/services/security/fail2ban.nix @@ -118,6 +118,7 @@ in { ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f"; ReadOnlyDirectories = "/"; ReadWriteDirectories = "/var/run/fail2ban"; + CapabilityBoundingSet="CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW"; }; postStart =