third-party-mirrors/sslh
1
0
Fork 0
mirror of https://github.com/yrutschle/sslh.git synced 2025-06-19 00:13:52 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #96 from candrews/patch-1

Browse Source 
Harden the systemd service
This commit is contained in:
yrutschle 2017-12-16 19:04:52 +01:00 committed by GitHub
commit b33c65ed53
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
scripts/systemd.sslh.service
View File

@ -6,6 +6,22 @@ After=network.target
EnvironmentFile=/etc/conf.d/sslh EnvironmentFile=/etc/conf.d/sslh
ExecStart=/usr/bin/sslh --foreground $DAEMON_OPTS ExecStart=/usr/bin/sslh --foreground $DAEMON_OPTS
KillMode=process KillMode=process
#Hardening
PrivateTmp=true
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
SecureBits=noroot-locked
ProtectSystem=strict
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
MountFlags=private
NoNewPrivileges=true
PrivateDevices=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
MemoryDenyWriteExecute=true
DynamicUser=true
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target