sshlog/util/sshlog.service

[Unit]
Description=SSH Auth Logging
Requires=network-online.target

[Service]
Type=simple
Restart=always
RestartSec=30sec
# Path to the executable
ExecStart=/home/user/go/bin/sshlog -a 0.0.0.0:2222
KillSignal=SIGTERM

# Stop trying to restart the service if it restarts too many times in a row
StartLimitInterval=5min
StartLimitBurst=4

StandardOutput=journal
StandardError=journal
StandardInput=null

DynamicUser=yes

PrivateTmp=true
PrivateDevices=true
PrivateMounts=true
ProtectSystem=full
#ProtectHome=true
RestrictNamespaces=true
InaccessiblePaths=/run /var /etc

PrivateUsers=true

NoNewPrivileges=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
MemoryDenyWriteExecute=true

[Install]
WantedBy=multi-user.target
Add sshlog.service configuration I am not an expert in systemd service creation/configuration. I just took an example file from the internet and modified it slightly to match my setup. This configuration gets using the `systemd-analyze` a mixed result while scanning it with the focus on security. I am sure it can be optimize to have a lot less capabilities but for the time I don't know how. Refs: - https://medium.com/@benmorel/creating-a-linux-service-with-systemd-611b5c8b91d6 - https://www.redhat.com/sysadmin/systemd-secure-services 2021-06-17 23:14:00 +02:00			`[Unit]`
			`Description=SSH Auth Logging`
			`Requires=network-online.target`

			`[Service]`
			`Type=simple`
			`Restart=always`
			`RestartSec=30sec`
			`# Path to the executable`
Replace IPv4/IPv6 handling with address argument To have better handling regarding the interface and port to used. This makes the application only use one address at the time, but if I want the application to bind to IPv4 and IPv6 I can spawn two instances or use Docker and its networking to bind it on the host on both addresses. 2024-09-29 23:15:18 +02:00			`ExecStart=/home/user/go/bin/sshlog -a 0.0.0.0:2222`
Add sshlog.service configuration I am not an expert in systemd service creation/configuration. I just took an example file from the internet and modified it slightly to match my setup. This configuration gets using the `systemd-analyze` a mixed result while scanning it with the focus on security. I am sure it can be optimize to have a lot less capabilities but for the time I don't know how. Refs: - https://medium.com/@benmorel/creating-a-linux-service-with-systemd-611b5c8b91d6 - https://www.redhat.com/sysadmin/systemd-secure-services 2021-06-17 23:14:00 +02:00			`KillSignal=SIGTERM`

			`# Stop trying to restart the service if it restarts too many times in a row`
			`StartLimitInterval=5min`
			`StartLimitBurst=4`

			`StandardOutput=journal`
			`StandardError=journal`
			`StandardInput=null`

			`DynamicUser=yes`

			`PrivateTmp=true`
			`PrivateDevices=true`
			`PrivateMounts=true`
			`ProtectSystem=full`
			`#ProtectHome=true`
			`RestrictNamespaces=true`
			`InaccessiblePaths=/run /var /etc`

			`PrivateUsers=true`

			`NoNewPrivileges=true`
			`ProtectKernelTunables=true`
			`ProtectKernelModules=true`
			`ProtectKernelLogs=true`
			`ProtectControlGroups=true`
			`MemoryDenyWriteExecute=true`

			`[Install]`
			`WantedBy=multi-user.target`