Limit the location where fail2ban service can write to (only /var/run/fail2ban).

2025-03-06 23:31:34 +00:00 · 2013-07-25 15:48:00 +02:00 · 2013-07-25 15:48:00 +02:00 · 7e7392b8ad
parent c5f6a08750
commit 7e7392b8ad
1 changed files with 5 additions and 1 deletions
--- a/modules/services/security/fail2ban.nix
+++ b/modules/services/security/fail2ban.nix
@ -114,7 +114,11 @@ in
            mkdir -p /var/run/fail2ban -m 0755
          '';
          
-        serviceConfig.ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f";
+        serviceConfig =
+          { ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f";
+            ReadOnlyDirectories = "/";
+            ReadWriteDirectories = "/var/run/fail2ban";
+          };

        postStart =
          ''