-- Leo's gemini proxy

-- Connecting to gemini.mingmengtou.org:1965...

-- Connected

-- Sending request

-- Meta line: 20 text/gemini;lang=en-GB

neil in gemini space


on securing a gemini server with systemd - 2022-02-26


so yet again others sharing information prompted me to have a look at my server set-up:


2022-02-23 Securing Gemini Servers

2022-02-24 Re: Securing Gemini Servers


i started with:


systemd-analyze security agate

agate score = 9.1 UNSAFE. not a good start although all the vanilla os services were just as bad: i can look at those another day!


i added options to the agate.services file one by one to see what the effect was:


PrivateTmp=yes 8.7 EXPOSED
NoNewPrivileges=true 8.6 EXPOSED
RestrictNamespaces=yes 7.8 EXPOSED
ProtectDevices=yes 7.8 EXPOSED
NoNewPrivileges=true 7.8 EXPOSED
PrivateDevices=true 7.1 MEDIUM
DevicePolicy=closed 7.1 MEDIUM
ProtectSystem=strict 6.9 MEDIUM
ProtectHome=true 6.7 MEDIUM
ProtectHostname=true 6.7 MEDIUM
ProtectControlGroups=true 6.5 MEDIUM
ProtectKernelModules=true 6.1 MEDIUM
ProtectKernelTunables=true 6.0 MEDIUM
RestrictAddressFamilies=AF_INET 5.5 MEDIUM
RestrictRealtime=true 5.4 MEDIUM
RestrictSUIDSGID=true 5.4 MEDIUM
MemoryDenyWriteExecute=true 5.4 MEDIUM
LockPersonality=true 5.3 MEDIUM
PrivateUsers=true 5.2 MEDIUM
ProtectClock=true 5.2 MEDIUM
ProtectKernelLogs=true 5.2 MEDIUM
ProtectProc=invisible 5.2 MEDIUM
ProcSubset=pid 5.2 MEDIUM
RemoveIPC=true

this post below had me recheck my work and yes i had borked agate!


2022-02-25 - Securing Molly Brown


i commented out these to get going again:


# ProtectHome
# RestrictAddressFamilies 5.8 MEDIUM

a little more work on the effect of changes and made myself actually read the error messages and made some changes and additions:


RestrictAddressFamilies=AF_INET AF_INET6 5.3 MEDIUM
ProtectHome=read-only 5.2 MEDIUM
CapabilityBoundingSet= 3.0 OK (note nothing after the = )
UMask=177 3.0 OK

i'm happy with a score of 3.0 for now until i understand more about this.


some more links for some light reading:-) :


2022-02-20 - security and hardening options for systemd service units


2022-02-25 - (accessed) systemd.exec — Execution environment configuration


2022-02-26 - (accessed) systemd.syntax — General syntax of systemd configuration files. explains why 1,yes,true,on do the same thing!


2022-02-18 - Systemd Hardening


2021-05-14 - Systemd Service Hardening


i took the opportunity to review the how i was running agate and changed the user account that ran agate and moved the certificates. the server setup is now a little more organized and hopefully more secure.


another block of code from my agate.service (more suitable for CandP):


# security things done
CapabilityBoundingSet=
DevicePolicy=closed
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=yes
PrivateUsers=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectDevices=yes
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectHome=read-only
ProtectHostname=true
ProtectProc=invisible
ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6
RemoveIPC=true
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=true
UMask=177

---

return to gemini.mingmengtou.org index page.

---

neil.gemini@mingmengtou.org

content licensed CC-BY-SA 4.0 unless stated.

creative commons licence.

-- Response ended

-- Page fetched on Thu May 2 01:12:24 2024