Systemd Service Hardening
cross-posted from: https://infosec.pub/post/32937284
This one is a little self-hosting specific, and more casual Linux best practices, but I've got a new blog post down for general security! Harden your systemd units (especially custom ones) for better peace of mind on the internet!
https://roguesecurity.dev/blog/systemd-hardeningOpen linkView original on infosec.pub
Adding
PrivateNetwork=yesto your systemd units is a game changer for services that don't need network access - it completly isolates the service from the network and prevents any outbound connections.Good callout! You're absolutely right, and here I was primarily focused on publicly accessible services. Thanks for the addition.
I definitely learnt (more than) a few things from your write up, thank you sir!
Very glad to gear it! Learning new stuff with Linux is the fun part of the journey.