You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
41 lines
966 B
41 lines
966 B
[Unit]
|
|
Description=Portscan Firewall Banner Service
|
|
After=network.target
|
|
ConditionPathExists=/usr/local/bin/banner_service
|
|
ConditionCapability=CAP_NET_BIND_SERVICE
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=bannersvc
|
|
Group=bannersvc
|
|
WorkingDirectory=/var/lib/banner-service
|
|
ExecStart=/usr/local/bin/banner_service
|
|
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
|
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
|
NoNewPrivileges=true
|
|
ProtectSystem=strict
|
|
ProtectHome=true
|
|
PrivateTmp=true
|
|
PrivateDevices=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectControlGroups=true
|
|
RestrictAddressFamilies=AF_INET AF_INET6
|
|
RestrictNamespaces=true
|
|
RestrictRealtime=true
|
|
RestrictSUIDSGID=true
|
|
MemoryDenyWriteExecute=true
|
|
LockPersonality=true
|
|
SystemCallFilter=@system-service
|
|
SystemCallArchitectures=native
|
|
#IPAddressDeny=any
|
|
#IPAddressAllow=localhost
|
|
#IPAddressAllow=127.0.0.1
|
|
#IPAddressAllow=::1
|
|
|
|
# Connection rate limiting
|
|
LimitNOFILE=1024
|
|
LimitNPROC=8
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
|