Limit the capabilities of what fail2ban service can do. Taken from ArchLinux wiki.

2013-07-25 20:03:29 +02:00 · 2013-07-25 20:03:29 +02:00 · 6adfb647ff
commit 6adfb647ff
parent 7e7392b8ad
1 changed files with 1 additions and 0 deletions
--- a/modules/services/security/fail2ban.nix
+++ b/modules/services/security/fail2ban.nix
@ -118,6 +118,7 @@ in
          { ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f";
            ReadOnlyDirectories = "/";
            ReadWriteDirectories = "/var/run/fail2ban";
+            CapabilityBoundingSet="CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW";
          };

        postStart =