Compare commits

..

4 commits

Author SHA1 Message Date
b345d17602 Merge branch 'systemd'
Adds a systemd service setup for sshlog.

* systemd:
  Add information about util directory
  Add a README inside utils with systemd instructions
  Add sshlog.service configuration
2021-07-28 19:57:41 +02:00
abdaa65cfa
Add information about util directory 2021-06-25 20:52:23 +02:00
c4f38cd7e1 Add a README inside utils with systemd instructions
This README should hold all infromation for all utilities that should
appeare around sshlog, like the systemd service configuration.
2021-06-18 21:26:20 +02:00
279b3fa159 Add sshlog.service configuration
I am not an expert in systemd service creation/configuration. I just
took an example file from the internet and modified it slightly to match
my setup.
This configuration gets using the `systemd-analyze` a mixed result while
scanning it with the focus on security. I am sure it can be optimize to
have a lot less capabilities but for the time I don't know how.

Refs:
 - https://medium.com/@benmorel/creating-a-linux-service-with-systemd-611b5c8b91d6
 - https://www.redhat.com/sysadmin/systemd-secure-services
2021-06-18 21:24:26 +02:00
3 changed files with 60 additions and 0 deletions

View file

@ -41,3 +41,7 @@ FLAGS:
-4, --onlyIPv4 Only listens on IPv4.
-p, --port string Port to listen for incoming connections. (default "22"))
```
# Utils
Inside the `util` directory you might find some additional information like how to create Systemd service for sshlog.

15
util/README.md Normal file
View file

@ -0,0 +1,15 @@
# Utility
A collection of scripts and useful configurations.
## Systemd
You can use the example `sshlog.service` to run `sshlog` as a service under Systemd.
Copy the `sshlog.service` into `/etc/systemd/system/sshlog.service` and change the `ExecStart` value to point to the `sshlog` executable.
If you installed it with `go install` it will be propably located inside your `$GOPATH/bin` directory. Use the full path as
value for the `ExecStart` parameter. This is also the location if you wannt to give it some arguments like `-p 2222` for the listening port.
After saving the configuration under `/etc/systemd/system/sshlog.service` it can be started with `systemctl start sshlog.service` and
enabled to run on system boot with `systemctl enable sshlog.service`
While running it with Systemd all logs can be accesst with `journalctl -u sshlog.service`.

41
util/sshlog.service Normal file
View file

@ -0,0 +1,41 @@
[Unit]
Description=SSH Auth Logging
Requires=network-online.target
[Service]
Type=simple
Restart=always
RestartSec=30sec
# Path to the executable
ExecStart=/home/user/go/bin/sshlog -p 2222
KillSignal=SIGTERM
# Stop trying to restart the service if it restarts too many times in a row
StartLimitInterval=5min
StartLimitBurst=4
StandardOutput=journal
StandardError=journal
StandardInput=null
DynamicUser=yes
PrivateTmp=true
PrivateDevices=true
PrivateMounts=true
ProtectSystem=full
#ProtectHome=true
RestrictNamespaces=true
InaccessiblePaths=/run /var /etc
PrivateUsers=true
NoNewPrivileges=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
MemoryDenyWriteExecute=true
[Install]
WantedBy=multi-user.target