Comments (5)
This is not safe. The [nobody] user's main purpose on Linux-based
operating systems is to be the owner of files that otherwise cannot be mapped
to any local user. It's used by the NFS client and Linux user namespacing,
among others. By running a unit's processes under the identity of this user
they might possibly get read and even write access to such files that cannot
otherwise be mapped.
It is strongly recommended to avoid running services under this user identity,
in particular on systems using NFS or running containers. Allocate a user ID
specific to this service, either statically via systemd-sysusers or dynamically
via the DynamicUser= service setting.
from endlessh.
For me the following service configuration works:
[Unit]
Description=Endlessh SSH Tarpit
Documentation=man:endlessh(1)
Requires=network-online.target
[Service]
Type=simple
Restart=always
RestartSec=30sec
ExecStart=/usr/bin/endlessh
KillSignal=SIGTERM
# Stop trying to restart the service if it restarts too many times in a row
StartLimitInterval=5min
StartLimitBurst=4
StandardOutput=journal
StandardError=journal
StandardInput=null
PrivateTmp=true
PrivateDevices=true
ProtectSystem=strict
ProtectHome=true
PrivateUsers=true
DynamicUser=true
NoNewPrivileges=true
ConfigurationDirectory=endlessh
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
ProtectClock=true
ProtectKernelLogs=true
ProtectProc=true
ProtectHostname=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
SystemCallFilter=@system-service
[Install]
WantedBy=multi-user.target
from endlessh.
Good point - but it should not left as it is as it's currently root
from endlessh.
I mean, it looks to me that "nobody" was chosen as an example... couldn't we just make an "endlessh" user for this?
That way if some exploit does make it's way out, they'll have access to that user instead of root, which is the whole point of this suggestion(IMHO).
from endlessh.
closing
from endlessh.
Related Issues (20)
- Unable to make on Ubuntu 18 LTS HOT 5
- Systemd won't start HOT 3
- Adding a man page for the endlessh.conf options
- Log in local timezone HOT 3
- InaccessiblePaths=/run /var makes systemd service not start on Raspberry pi HOT 1
- Is it possible to run it on Debian 9?
- (code=exited, status=1/FAILURE) HOT 19
- no config after installing with apt HOT 5
- CentOS 8, not possible to autostart enablessh HOT 3
- [announcement] Multi-arch docker image by linuxserver.io released HOT 1
- can't start endlessh service "Failed at step NAMESPACE" HOT 3
- Logging - where? HOT 2
- Random message delay?
- Request for Pacstall Support HOT 1
- TCP v4 is not default HOT 2
- need way to define IP to bind/listen to. Port= is not sufficent HOT 2
- USR1 should output stats regardless of LogLevel
- setcap 'cap_net_bind_service=+ep' does not work
- [Feature]: Add option to upload IP addresses to aggregators like AbuseIPDB
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from endlessh.