Package: fail2ban Version: 1.1.0-7 Severity: normal Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
The following systemd security settings have been tested and allow fail2ban to work normally while significantly decreasing it's ability to change things on the sysstem. This program processes data from hostile systems on the Internet and needs access to perform privileged operations. So we want it to run with minimum privs. [Service] SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @swap @resources @reboot @raw-io @obsolete CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_SYS_TTY_CONFIG CAP_NET_ADMIN ProtectSystem=true PrivateTmp=true ProtectHome=true MemoryDenyWriteExecute=true ProtectKernelModules=true ProtectHostname=true NoNewPrivileges=false RestrictNamespaces=true ProtectClock=true RestrictSUIDSGID=true ProtectKernelTunables=true ProtectControlGroups=true ProtectKernelLogs=true PrivateDevices=false RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK AF_PACKET UMask=077 LockPersonality=true RestrictRealtime=true -- System Information: Debian Release: trixie/sid Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.12.9-amd64 (SMP w/18 CPU threads; PREEMPT) Kernel taint flags: TAINT_CPU_OUT_OF_SPEC Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: unable to detect Versions of packages fail2ban depends on: ii python3 3.13.1-2 ii python3-systemd 235-1+b5 Versions of packages fail2ban recommends: ii iptables 1.8.11-2 ii nftables 1.1.1-1 pn python3-pyinotify <none> ii python3-setuptools 75.6.0-1 ii whois 5.5.23 Versions of packages fail2ban suggests: ii bsd-mailx [mailx] 8.1.2-0.20220412cvs-1 pn monit <none> ii rsyslog [system-log-daemon] 8.2412.0-1 ii sqlite3 3.46.1-1 -- Configuration Files: /etc/fail2ban/jail.d/defaults-debian.conf changed [not included] -- debconf-show failed
