├── .github └── ISSUE_TEMPLATE │ └── feature_request.md ├── .gitmodules ├── CONTRIBUTING.md ├── LICENSE.md ├── README.md ├── beginners-guide └── README.md ├── guides-by-topic └── Zerotier.md ├── howto ├── README.md ├── iptables.md └── wireguard.md └── linux-security-guides └── systemd-service-hardening.md /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for one of the guides 4 | title: "[REQ]" 5 | labels: enhancement 6 | assignees: justSem 7 | 8 | --- 9 | 10 | **Please state which guide your request refers to.** 11 | Name or link will do 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | 17 | **Additional context** 18 | Add any other context or screenshots about the feature request here. 19 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "linux-security-guides/imthenachoman/How-To-Secure-A-Linux-Server"] 2 | path = linux-security-guides/imthenachoman/How-To-Secure-A-Linux-Server 3 | url = https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/ 4 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | Contributors are welcomed! You can contribute in a number of ways. 4 | 5 | 6 | 7 | ## 1. Suggesting edits or inclusions through an issue 8 | 9 | Navigate to the issue tab and make your suggestion. I'll respond accordingly! :) 10 | 11 | 12 | ## 2. Pull requests 13 | 14 | Feel free to make a pull request and I'll review it. 15 | 16 | 17 | ## 3. Become a contributor 18 | 19 | You're free to **request** contributor access, but I won't give direct push permissions to just everyone as it'll give you the right to just simply overwrite anything. 20 | 21 | You can become a contributor if you can provide proof of knowledge, and if I feel you're trustworthy enough. 22 | 23 | I'm looking at investing quite some time at building and expanding these guides, so trust is an essential component in this. 24 | 25 | 26 | ## 4. Subrepo's 27 | 28 | Have you built your own guide and do you feel it would be great to include it here as well? Great! I can link it as a subrepo. 29 | 30 | This is a decent solution if you've made something of your own and want to keep full-access rights to it. 31 | 32 | 33 | 34 | 35 | 36 | ### Disclaimer 37 | 38 | I reserve the right to revoke any previously given permission regarding contributing at any time for any given reason. 39 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | Attribution-ShareAlike 4.0 International 2 | 3 | ======================================================================= 4 | 5 | Creative Commons Corporation ("Creative Commons") is not a law firm and 6 | does not provide legal services or legal advice. Distribution of 7 | Creative Commons public licenses does not create a lawyer-client or 8 | other relationship. Creative Commons makes its licenses and related 9 | information available on an "as-is" basis. Creative Commons gives no 10 | warranties regarding its licenses, any material licensed under their 11 | terms and conditions, or any related information. Creative Commons 12 | disclaims all liability for damages resulting from their use to the 13 | fullest extent possible. 14 | 15 | Using Creative Commons Public Licenses 16 | 17 | Creative Commons public licenses provide a standard set of terms and 18 | conditions that creators and other rights holders may use to share 19 | original works of authorship and other material subject to copyright 20 | and certain other rights specified in the public license below. The 21 | following considerations are for informational purposes only, are not 22 | exhaustive, and do not form part of our licenses. 23 | 24 | Considerations for licensors: Our public licenses are 25 | intended for use by those authorized to give the public 26 | permission to use material in ways otherwise restricted by 27 | copyright and certain other rights. Our licenses are 28 | irrevocable. Licensors should read and understand the terms 29 | and conditions of the license they choose before applying it. 30 | Licensors should also secure all rights necessary before 31 | applying our licenses so that the public can reuse the 32 | material as expected. Licensors should clearly mark any 33 | material not subject to the license. This includes other CC- 34 | licensed material, or material used under an exception or 35 | limitation to copyright. More considerations for licensors: 36 | wiki.creativecommons.org/Considerations_for_licensors 37 | 38 | Considerations for the public: By using one of our public 39 | licenses, a licensor grants the public permission to use the 40 | licensed material under specified terms and conditions. If 41 | the licensor's permission is not necessary for any reason--for 42 | example, because of any applicable exception or limitation to 43 | copyright--then that use is not regulated by the license. Our 44 | licenses grant only permissions under copyright and certain 45 | other rights that a licensor has authority to grant. Use of 46 | the licensed material may still be restricted for other 47 | reasons, including because others have copyright or other 48 | rights in the material. A licensor may make special requests, 49 | such as asking that all changes be marked or described. 50 | Although not required by our licenses, you are encouraged to 51 | respect those requests where reasonable. More considerations 52 | for the public: 53 | wiki.creativecommons.org/Considerations_for_licensees 54 | 55 | ======================================================================= 56 | 57 | Creative Commons Attribution-ShareAlike 4.0 International Public 58 | License 59 | 60 | By exercising the Licensed Rights (defined below), You accept and agree 61 | to be bound by the terms and conditions of this Creative Commons 62 | Attribution-ShareAlike 4.0 International Public License ("Public 63 | License"). To the extent this Public License may be interpreted as a 64 | contract, You are granted the Licensed Rights in consideration of Your 65 | acceptance of these terms and conditions, and the Licensor grants You 66 | such rights in consideration of benefits the Licensor receives from 67 | making the Licensed Material available under these terms and 68 | conditions. 69 | 70 | 71 | Section 1 -- Definitions. 72 | 73 | a. Adapted Material means material subject to Copyright and Similar 74 | Rights that is derived from or based upon the Licensed Material 75 | and in which the Licensed Material is translated, altered, 76 | arranged, transformed, or otherwise modified in a manner requiring 77 | permission under the Copyright and Similar Rights held by the 78 | Licensor. For purposes of this Public License, where the Licensed 79 | Material is a musical work, performance, or sound recording, 80 | Adapted Material is always produced where the Licensed Material is 81 | synched in timed relation with a moving image. 82 | 83 | b. Adapter's License means the license You apply to Your Copyright 84 | and Similar Rights in Your contributions to Adapted Material in 85 | accordance with the terms and conditions of this Public License. 86 | 87 | c. BY-SA Compatible License means a license listed at 88 | creativecommons.org/compatiblelicenses, approved by Creative 89 | Commons as essentially the equivalent of this Public License. 90 | 91 | d. Copyright and Similar Rights means copyright and/or similar rights 92 | closely related to copyright including, without limitation, 93 | performance, broadcast, sound recording, and Sui Generis Database 94 | Rights, without regard to how the rights are labeled or 95 | categorized. For purposes of this Public License, the rights 96 | specified in Section 2(b)(1)-(2) are not Copyright and Similar 97 | Rights. 98 | 99 | e. Effective Technological Measures means those measures that, in the 100 | absence of proper authority, may not be circumvented under laws 101 | fulfilling obligations under Article 11 of the WIPO Copyright 102 | Treaty adopted on December 20, 1996, and/or similar international 103 | agreements. 104 | 105 | f. Exceptions and Limitations means fair use, fair dealing, and/or 106 | any other exception or limitation to Copyright and Similar Rights 107 | that applies to Your use of the Licensed Material. 108 | 109 | g. License Elements means the license attributes listed in the name 110 | of a Creative Commons Public License. The License Elements of this 111 | Public License are Attribution and ShareAlike. 112 | 113 | h. Licensed Material means the artistic or literary work, database, 114 | or other material to which the Licensor applied this Public 115 | License. 116 | 117 | i. Licensed Rights means the rights granted to You subject to the 118 | terms and conditions of this Public License, which are limited to 119 | all Copyright and Similar Rights that apply to Your use of the 120 | Licensed Material and that the Licensor has authority to license. 121 | 122 | j. Licensor means the individual(s) or entity(ies) granting rights 123 | under this Public License. 124 | 125 | k. Share means to provide material to the public by any means or 126 | process that requires permission under the Licensed Rights, such 127 | as reproduction, public display, public performance, distribution, 128 | dissemination, communication, or importation, and to make material 129 | available to the public including in ways that members of the 130 | public may access the material from a place and at a time 131 | individually chosen by them. 132 | 133 | l. Sui Generis Database Rights means rights other than copyright 134 | resulting from Directive 96/9/EC of the European Parliament and of 135 | the Council of 11 March 1996 on the legal protection of databases, 136 | as amended and/or succeeded, as well as other essentially 137 | equivalent rights anywhere in the world. 138 | 139 | m. You means the individual or entity exercising the Licensed Rights 140 | under this Public License. Your has a corresponding meaning. 141 | 142 | 143 | Section 2 -- Scope. 144 | 145 | a. License grant. 146 | 147 | 1. Subject to the terms and conditions of this Public License, 148 | the Licensor hereby grants You a worldwide, royalty-free, 149 | non-sublicensable, non-exclusive, irrevocable license to 150 | exercise the Licensed Rights in the Licensed Material to: 151 | 152 | a. reproduce and Share the Licensed Material, in whole or 153 | in part; and 154 | 155 | b. produce, reproduce, and Share Adapted Material. 156 | 157 | 2. Exceptions and Limitations. For the avoidance of doubt, where 158 | Exceptions and Limitations apply to Your use, this Public 159 | License does not apply, and You do not need to comply with 160 | its terms and conditions. 161 | 162 | 3. Term. The term of this Public License is specified in Section 163 | 6(a). 164 | 165 | 4. Media and formats; technical modifications allowed. The 166 | Licensor authorizes You to exercise the Licensed Rights in 167 | all media and formats whether now known or hereafter created, 168 | and to make technical modifications necessary to do so. The 169 | Licensor waives and/or agrees not to assert any right or 170 | authority to forbid You from making technical modifications 171 | necessary to exercise the Licensed Rights, including 172 | technical modifications necessary to circumvent Effective 173 | Technological Measures. For purposes of this Public License, 174 | simply making modifications authorized by this Section 2(a) 175 | (4) never produces Adapted Material. 176 | 177 | 5. Downstream recipients. 178 | 179 | a. Offer from the Licensor -- Licensed Material. Every 180 | recipient of the Licensed Material automatically 181 | receives an offer from the Licensor to exercise the 182 | Licensed Rights under the terms and conditions of this 183 | Public License. 184 | 185 | b. Additional offer from the Licensor -- Adapted Material. 186 | Every recipient of Adapted Material from You 187 | automatically receives an offer from the Licensor to 188 | exercise the Licensed Rights in the Adapted Material 189 | under the conditions of the Adapter's License You apply. 190 | 191 | c. No downstream restrictions. You may not offer or impose 192 | any additional or different terms or conditions on, or 193 | apply any Effective Technological Measures to, the 194 | Licensed Material if doing so restricts exercise of the 195 | Licensed Rights by any recipient of the Licensed 196 | Material. 197 | 198 | 6. No endorsement. Nothing in this Public License constitutes or 199 | may be construed as permission to assert or imply that You 200 | are, or that Your use of the Licensed Material is, connected 201 | with, or sponsored, endorsed, or granted official status by, 202 | the Licensor or others designated to receive attribution as 203 | provided in Section 3(a)(1)(A)(i). 204 | 205 | b. Other rights. 206 | 207 | 1. Moral rights, such as the right of integrity, are not 208 | licensed under this Public License, nor are publicity, 209 | privacy, and/or other similar personality rights; however, to 210 | the extent possible, the Licensor waives and/or agrees not to 211 | assert any such rights held by the Licensor to the limited 212 | extent necessary to allow You to exercise the Licensed 213 | Rights, but not otherwise. 214 | 215 | 2. Patent and trademark rights are not licensed under this 216 | Public License. 217 | 218 | 3. To the extent possible, the Licensor waives any right to 219 | collect royalties from You for the exercise of the Licensed 220 | Rights, whether directly or through a collecting society 221 | under any voluntary or waivable statutory or compulsory 222 | licensing scheme. In all other cases the Licensor expressly 223 | reserves any right to collect such royalties. 224 | 225 | 226 | Section 3 -- License Conditions. 227 | 228 | Your exercise of the Licensed Rights is expressly made subject to the 229 | following conditions. 230 | 231 | a. Attribution. 232 | 233 | 1. If You Share the Licensed Material (including in modified 234 | form), You must: 235 | 236 | a. retain the following if it is supplied by the Licensor 237 | with the Licensed Material: 238 | 239 | i. identification of the creator(s) of the Licensed 240 | Material and any others designated to receive 241 | attribution, in any reasonable manner requested by 242 | the Licensor (including by pseudonym if 243 | designated); 244 | 245 | ii. a copyright notice; 246 | 247 | iii. a notice that refers to this Public License; 248 | 249 | iv. a notice that refers to the disclaimer of 250 | warranties; 251 | 252 | v. a URI or hyperlink to the Licensed Material to the 253 | extent reasonably practicable; 254 | 255 | b. indicate if You modified the Licensed Material and 256 | retain an indication of any previous modifications; and 257 | 258 | c. indicate the Licensed Material is licensed under this 259 | Public License, and include the text of, or the URI or 260 | hyperlink to, this Public License. 261 | 262 | 2. You may satisfy the conditions in Section 3(a)(1) in any 263 | reasonable manner based on the medium, means, and context in 264 | which You Share the Licensed Material. For example, it may be 265 | reasonable to satisfy the conditions by providing a URI or 266 | hyperlink to a resource that includes the required 267 | information. 268 | 269 | 3. If requested by the Licensor, You must remove any of the 270 | information required by Section 3(a)(1)(A) to the extent 271 | reasonably practicable. 272 | 273 | b. ShareAlike. 274 | 275 | In addition to the conditions in Section 3(a), if You Share 276 | Adapted Material You produce, the following conditions also apply. 277 | 278 | 1. The Adapter's License You apply must be a Creative Commons 279 | license with the same License Elements, this version or 280 | later, or a BY-SA Compatible License. 281 | 282 | 2. You must include the text of, or the URI or hyperlink to, the 283 | Adapter's License You apply. You may satisfy this condition 284 | in any reasonable manner based on the medium, means, and 285 | context in which You Share Adapted Material. 286 | 287 | 3. You may not offer or impose any additional or different terms 288 | or conditions on, or apply any Effective Technological 289 | Measures to, Adapted Material that restrict exercise of the 290 | rights granted under the Adapter's License You apply. 291 | 292 | 293 | Section 4 -- Sui Generis Database Rights. 294 | 295 | Where the Licensed Rights include Sui Generis Database Rights that 296 | apply to Your use of the Licensed Material: 297 | 298 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right 299 | to extract, reuse, reproduce, and Share all or a substantial 300 | portion of the contents of the database; 301 | 302 | b. if You include all or a substantial portion of the database 303 | contents in a database in which You have Sui Generis Database 304 | Rights, then the database in which You have Sui Generis Database 305 | Rights (but not its individual contents) is Adapted Material, 306 | 307 | including for purposes of Section 3(b); and 308 | c. You must comply with the conditions in Section 3(a) if You Share 309 | all or a substantial portion of the contents of the database. 310 | 311 | For the avoidance of doubt, this Section 4 supplements and does not 312 | replace Your obligations under this Public License where the Licensed 313 | Rights include other Copyright and Similar Rights. 314 | 315 | 316 | Section 5 -- Disclaimer of Warranties and Limitation of Liability. 317 | 318 | a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE 319 | EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS 320 | AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF 321 | ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, 322 | IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, 323 | WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR 324 | PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, 325 | ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT 326 | KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT 327 | ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. 328 | 329 | b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE 330 | TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, 331 | NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, 332 | INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, 333 | COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR 334 | USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN 335 | ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR 336 | DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR 337 | IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. 338 | 339 | c. The disclaimer of warranties and limitation of liability provided 340 | above shall be interpreted in a manner that, to the extent 341 | possible, most closely approximates an absolute disclaimer and 342 | waiver of all liability. 343 | 344 | 345 | Section 6 -- Term and Termination. 346 | 347 | a. This Public License applies for the term of the Copyright and 348 | Similar Rights licensed here. However, if You fail to comply with 349 | this Public License, then Your rights under this Public License 350 | terminate automatically. 351 | 352 | b. Where Your right to use the Licensed Material has terminated under 353 | Section 6(a), it reinstates: 354 | 355 | 1. automatically as of the date the violation is cured, provided 356 | it is cured within 30 days of Your discovery of the 357 | violation; or 358 | 359 | 2. upon express reinstatement by the Licensor. 360 | 361 | For the avoidance of doubt, this Section 6(b) does not affect any 362 | right the Licensor may have to seek remedies for Your violations 363 | of this Public License. 364 | 365 | c. For the avoidance of doubt, the Licensor may also offer the 366 | Licensed Material under separate terms or conditions or stop 367 | distributing the Licensed Material at any time; however, doing so 368 | will not terminate this Public License. 369 | 370 | d. Sections 1, 5, 6, 7, and 8 survive termination of this Public 371 | License. 372 | 373 | 374 | Section 7 -- Other Terms and Conditions. 375 | 376 | a. The Licensor shall not be bound by any additional or different 377 | terms or conditions communicated by You unless expressly agreed. 378 | 379 | b. Any arrangements, understandings, or agreements regarding the 380 | Licensed Material not stated herein are separate from and 381 | independent of the terms and conditions of this Public License. 382 | 383 | 384 | Section 8 -- Interpretation. 385 | 386 | a. For the avoidance of doubt, this Public License does not, and 387 | shall not be interpreted to, reduce, limit, restrict, or impose 388 | conditions on any use of the Licensed Material that could lawfully 389 | be made without permission under this Public License. 390 | 391 | b. To the extent possible, if any provision of this Public License is 392 | deemed unenforceable, it shall be automatically reformed to the 393 | minimum extent necessary to make it enforceable. If the provision 394 | cannot be reformed, it shall be severed from this Public License 395 | without affecting the enforceability of the remaining terms and 396 | conditions. 397 | 398 | c. No term or condition of this Public License will be waived and no 399 | failure to comply consented to unless expressly agreed to by the 400 | Licensor. 401 | 402 | d. Nothing in this Public License constitutes or may be interpreted 403 | as a limitation upon, or waiver of, any privileges and immunities 404 | that apply to the Licensor or You, including from the legal 405 | processes of any jurisdiction or authority. 406 | 407 | 408 | ======================================================================= 409 | 410 | Creative Commons is not a party to its public 411 | licenses. Notwithstanding, Creative Commons may elect to apply one of 412 | its public licenses to material it publishes and in those instances 413 | will be considered the “Licensor.” The text of the Creative Commons 414 | public licenses is dedicated to the public domain under the CC0 Public 415 | Domain Dedication. Except for the limited purpose of indicating that 416 | material is shared under a Creative Commons public license or as 417 | otherwise permitted by the Creative Commons policies published at 418 | creativecommons.org/policies, Creative Commons does not authorize the 419 | use of the trademark "Creative Commons" or any other trademark or logo 420 | of Creative Commons without its prior written consent including, 421 | without limitation, in connection with any unauthorized modifications 422 | to any of its public licenses or any other arrangements, 423 | understandings, or agreements concerning use of licensed material. For 424 | the avoidance of doubt, this paragraph does not form part of the 425 | public licenses. 426 | 427 | Creative Commons may be contacted at creativecommons.org. 428 | 429 | 430 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # r/selfhosted security guides 2 | 3 | [![CC-BY-SA](https://i.creativecommons.org/l/by-sa/4.0/88x31.png)](LICENSE.md) 4 | 5 | Started from the beginners security guide on r/selfhosted - this repo aims to be a collection of guides on all levels for those who seek to make their selfhosted applications and servers more secure. 6 | 7 | 8 | # What is this? 9 | 10 | This place aims to be a collection of security-related knowledge, mainly on the blue-team side. (As there are plenty of red-team collections out there already) 11 | 12 | Most guides are third-party while I and some people around me happily contribute (or might do so in the future) to a few self-baked ones as well. 13 | 14 | This collection was created in order to help people gain some insight in what they're exposing to the internet and what is or isn't reasonable security in one's situation. 15 | 16 | 17 | 18 | # The guides 19 | 20 | **Introduction** 21 | 22 | These guides are sorted by subject and difficulty. 23 | More will be added as time passes. 24 | 25 | ## Basic concepts 26 | 27 | 28 | 29 | 30 | ## Security theory 31 | 32 | ### Threat modeling 33 | 34 | ### Threat actors 35 | 36 | ### 37 | 38 | 39 | 40 | ## Practical Guides 41 | 42 | ### General 43 | 44 | * ImTheNachoMan 's [How to secure a Linux server](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server) 45 | 46 | @ImTheNachoMan maintains a well-rounded guide into security on Linux platforms, as well trying to teach people why this security matters 47 | 48 | * ZeroTier One - A guide to a self-hostable L2/L3 WAN [here](https://github.com/justSem/r-selfhosted-security/blob/main/guides-by-topic/Zerotier.md) 49 | 50 | Credit goes to @d-rickyy-b for his hard work! 51 | 52 | 53 | ### Beginner 54 | 55 | 56 | ### Intermediate 57 | 58 | 59 | ### Advanced 60 | 61 | 62 | ### InfoSec Pro 63 | 64 | 65 | # Disclaimer and warranty. 66 | I am not associated with the mod team of r/selfhosted not do I express their opinion in any way. 67 | I also strongly encourage everyone to perform their own research, and to _not_ mindlessly follow a random guide. 68 | Therefor this collection is simply a collection of knowledge and is in no way any turn-key or magic solution to your security-based questions. 69 | For further details see [LICENSE.md](LICENSE.md) 70 | -------------------------------------------------------------------------------- /beginners-guide/README.md: -------------------------------------------------------------------------------- 1 | # First: What's going on? 2 | 3 | Recently posts have been showing up about people finding others' exposed dashboards or even fully unprotected services such as Heimdall, Pihole, Calibre, you name it. People expose it all on the public web, often without even knowing they're doing so. 4 | 5 | To some this might seem innocent, but it's not. Even if you're not a specific target to anyone, there a lots of automated bots and botnets out there who just scan the entire internet for exposed services like yours in order to exploit those. 6 | 7 | 8 | 9 | **So what are the dangers of this exactly?** 10 | 11 | Those services you're hosting are exposing a lot of your private info. I'll list a few examples of things I come across. 12 | 13 | * I once came across a fully open Calibre instance, upon browsing through it I found out that this particular person configured Calibres mail settings using their GMail details, just a little tinkering exposed their full GMail username and password 14 | * People tend to use their full names, or even full address info, etc. in things like Nextcloud, maybe even things like Pihole or Heimdall. This *will* make you a target for (automated) phishing campaigns. If those services are publicly accessible you can easily assume that someone has already got his hands on your info. 15 | 16 | So this all might seem innocuous to some, or some might even utter the: But I have nothing to hide - kind of phrase. But think about why most people are self-hosting in the first place. Privacy is most likely a big part of that, and now you're putting that out on the web for everyone to see? 17 | 18 | In example: Big data, botnets, hackers, etc. can build an extensive profile based on this kind of info: 19 | 20 | * One could sift through your Calibre service to find out what things you read. 21 | * One could sift through your Pihole logs to find out what you do on the web. 22 | * One could search through your Plex, Jellyfin, or others to find out what things you like to watch. 23 | 24 | This kind of info is especially useful for things like Phishing campaigns. The more familiar and polished a phishing mail is, the more likely you'll fall for it. And you *will* be targeted. No-one's exempt. 25 | 26 | 27 | 28 | Another danger is the case where people have a set-and-forget mentality, which leads them to never updating their services. In that case your service **will** get hacked at some point which might result in anything from your device being abused as cryptominer, to your connection being abused for malicious traffic, your devices being enslaved into a botnet or an actual human hacker who might have even more sinister intents. 29 | 30 | 31 | Additionally some router models allow to automatically open ports via the UPnP protocol (short for *universal plug and play*). That's very convenient for hardware manufacturers, as they don't need to guide customers through a router interface that's going to be different on every model. This takes away your control over which ports are allowed to be reachable over the internet and you rely on the router manufacturer to make sure your router firmware is patched. Plus you easily might forget that you have activated that setting at some point in the past. 32 | 33 | 34 | # How do I know if I'm publicly exposing services? 35 | 36 | There are a few indicators which will easily tell you: 37 | 38 | * Did you ever follow a guide that told you to port-forward something? 39 | * Do you proxy or forward your services using a reverse proxy? (i.e. Nginx proxy manager) 40 | * Can you access your services from anywhere (i.e. from your phone) without any extra effort like a VPN. 41 | 42 | 43 | 44 | **I'm not sure, how do I check?** 45 | 46 | There are plenty of tools that will freely tell you if you're hosting something. First you'll need to know your public IP. Some site like [https://whatismyipaddress.com/](https://whatismyipaddress.com/) will tell you. 47 | 48 | Please realise you might have a number of different IP addresses dependent on if your provider provides you with both IPv4 and/or IPv6. Your *public* IPv4 address will be the same for all devices in your network, but your IPv6 address will be different *per device!* 49 | 50 | The following tools might give you an insight in the ports you have opened publicly: 51 | 52 | * **Shodan** [https://shodan.io](https://shodan.io) \- Shodan does it's own scanning but will not per-say reveal everything as it does not tend to scan every single open port at any given time. Some IP addresses might not even be listed in Shodan. 53 | * **Yougetsignal** [https://www.yougetsignal.com/tools/open-ports/](https://www.yougetsignal.com/tools/open-ports/) \- Chances are that if you've been port forwarding you've been using a tool like this to actually verify if the port you've configured is accessible. 54 | * **ShieldsUp!** [https://www.grc.com/x/ne.dll?bh0bkyd2](https://www.grc.com/x/ne.dll?bh0bkyd2) \- Steve Gibson's classic tool will scan common ports, check for exposed Windows services, or scan a custom range of ports that you specify. 55 | 56 | **I'm still unsure and I want to scan it all, how do I do that?** 57 | 58 | This section is slightly more advanced, but if you can selfhost then you can do this too! 59 | 60 | First you'll need a device that does *not* host any of your services and a **different internet connection**. (Your phone's 4G or a neighbours WiFi will do). 61 | 62 | You'll need a port scanning tool, in this case I'll use nmap which is available for practically all linux distributions, macOS and Windows. 63 | 64 | If you're using Windows you can download nmap here: [https://nmap.org/download.html](https://nmap.org/download.html) 65 | 66 | If you're using a Debian based distro (Debian, Ubuntu, Mint, etc.) you can install nmap using `sudo apt install nmap` 67 | 68 | If you're using a Redhat based distro (Redhat, Fedora, CentOS, etc.) you can install nmap using `sudo` `dnf install nmap` 69 | 70 | If you're using macOS you can install nmap using Homebrew ( [https://brew.sh](https://brew.sh) ) by issuing `brew install nmap` 71 | 72 | One you've got nmap setup, make sure you're using a different internet connection and then issue: 73 | 74 | nmap -v -T4 -sV -A -p 1-65535 my.public.ip.address 75 | 76 | This will take a while as it'll scan all available TCP ports. It'll also try to determine what's running on an open port it finds (-sV flag) as well as some additional detection (-A flag) 77 | 78 | 79 | 80 | # Okay, so I do got open ports, what do I do? 81 | 82 | Firstly, you'll have to close them. It's most likely that you'll do this in your router. If you're unsure then I'd suggest you check the guide that you used to setup your service in order to determine what steps you took to expose it to the internet in the first place. 83 | 84 | 85 | 86 | **So now my ports are closed, but I can't access service** ***xyz*** **from remote anymore. What do I do?** 87 | 88 | It's understandable you want to access your services from anywhere, but there are more secure methods for this then simply exposing this. 89 | 90 | There are a number of steps you can take which'll be listed in order from most secure to least. 91 | 92 | * Use a VPN 93 | * Setting up a VPN like [Wireguard](https://www.wireguard.com/) is easy and secure. WireGuard has support for all major devices and it'll allow you to access your entire network from anywhere. 94 | * *Sidenote: You'll have to port forward WireGuard from your router, this is to be expected. But exposing a VPN service to the public internet is way more secure then exposing an unsecured service.* 95 | * Use port-forwarding with specific IPs 96 | * This is a feature some routers might not support. But you can utilize a whitelist of IPs that can access your service. 97 | * Using Cloudflare's[Argo tunnel](https://blog.cloudflare.com/argo-tunnel/) 98 | * By using Cloudflare's Argo tunnel you don't have to open any ports, but instead your webserver will build up a vpn-like connection to cloudflare, over which your webserver will be reachable to cloudflare. Your users then access your service through cloudflare without any risk for you due to exposed ports. 99 | * Utilizing a security CDN like CloudFlare 100 | * Using services like CloudFlare prevents an attacker from learning your actual IP address (unless said IP address can be accessed somehow through your service of course). Additionally CloudFlare actively filters out bots and malicious traffic. Depending on your tier with them you have more granular control and can choose to block entire countries from accessing your site. 101 | * Use a reverse proxy with an authentication frontend 102 | * One could utilize a platform like [Authelia](https://www.authelia.com/) or [Keycloak](https://www.keycloak.org/) to secure public-facing services. 103 | * Use a reverse proxy and utilize access-lists 104 | * A thing one could do with a reverse proxy like nginx is the usage of access lists. By using the `allow` [directive](https://nginx.org/en/docs/http/ngx_http_access_module.html) in the nginx config you can restrict entire services or subfolders to specific IP addresses. 105 | 106 | 107 | 108 | **I've read this all, but I still keep wanting to do the things I do. Any tips?** 109 | 110 | * Be aware of what info you expose using the services you expose to the internet. 111 | * CHANGE DEFAULT PASSWORDS! This cannot be said enough, exposing services is one thing, but not changing passwords is like giving out your credit card to complete strangers and hoping they'll bring it back to you. 112 | 113 | 114 | 115 | # General recommendations 116 | 117 | These might be duplicates of parts above, but it's useful to sum them up: 118 | 119 | 1. Expose only what's really needed: Why would your service need to be open to the internet? 120 | 2. Change default passwords: You don't give your credit card to strangers either, do you? 121 | 3. Use common sense: You can't magically access something you host at home without exposing something to the public internet. 122 | 4. Use 2FA wherever you can. Any form of 2FA is better then nothing. Most services support OTP (Google Authenticator/Authy/Yubico Auth) these days and the more advanced ones even support Webauthn (Yubikeys or any other hardware token) 123 | 5. Make sure UPnP is disabed in your router. 124 | 125 | 126 | To-do parts: 127 | 128 | * >!Extend on how-tos in building Wireguard, Nginx and NAT access lists!< 129 | 130 | 131 | 132 | Changelog: 133 | 134 | * >!Added Clouflare's Argo Tunnel!< 135 | * >!Added 2FA and Cloudflare; Clarified requirement for separate connection for nmap.!< 136 | * >!Initial guide!< 137 | -------------------------------------------------------------------------------- /guides-by-topic/Zerotier.md: -------------------------------------------------------------------------------- 1 | # Zerotier 2 | 3 | 4 | ## Introduction 5 | 6 | Zerotier is a self-hostable product that allows users to create either self-hosted or Zerotier-hosted private networks. 7 | 8 | Zerotier supports a vide variety of devices and offers both L2 and L3 connectivity. 9 | 10 | To translate: L3 or Layer 3 networking is routed networking, like WireGuard does. The main limitation on this is the lack of broadcast traffic on the VPN which is a limitation for a fair set of home apps. 11 | 12 | Zerotier is therefor unique in their offering of L2 support, which _does_ support said traffic. 13 | 14 | 15 | 16 | ## Guides 17 | 18 | @d-Rickyy-b has written a good writeup on zerotier and how it works, you can check it out at the link below. 19 | 20 | [blog.rico-j.de/zerotier-one](https://blog.rico-j.de/zerotier-one/) 21 | 22 | 23 | ## Resources 24 | 25 | [ZeroTier](https://zerotier.com) 26 | -------------------------------------------------------------------------------- /howto/README.md: -------------------------------------------------------------------------------- 1 | # Howto's 2 | 3 | This folder contains separate how-to guides which are linked to from the main guides in this repo. 4 | 5 | 6 | -------------------------------------------------------------------------------- /howto/iptables.md: -------------------------------------------------------------------------------- 1 | # IPTables 2 | 3 | 4 | -------------------------------------------------------------------------------- /howto/wireguard.md: -------------------------------------------------------------------------------- 1 | # Wireguard 2 | 3 | Wireguard is a modern, fast and lightweight VPN. 4 | Contrary to openVPN you don't need a PKI and you can get this baby up-and-running in less then 5 minutes. 5 | 6 | You can setup Wireguard in a number of ways. I'll outline the most popular ones. 7 | 8 | ## 1. Bare metal 9 | 10 | 11 | 12 | 13 | ## 2. Docker image 14 | 15 | 16 | 17 | ## Considerations 18 | 19 | -------------------------------------------------------------------------------- /linux-security-guides/systemd-service-hardening.md: -------------------------------------------------------------------------------- 1 | > NOTICE: This guide is under construction and will be finished in the coming few days. Please check back later if you want the full read. (6th of April 2022) 2 | 3 | # Systemd Service Hardening 4 | 5 | 6 | ## 1. Why? 7 | 8 | A lot of us host services on Linux servers and most distributions nowadays come with Systemd. 9 | The problem is that most services have _a lot_ of permissions __by default__. 10 | 11 | Though there are pro's and cons to systemd it is the most widespread init manager at the time of writing. 12 | As such, systemd does offer us some nice features to sandbox our services. 13 | 14 | 15 | ## 2. What will sandboxing do to my services? 16 | 17 | The answer is: That depends. There is a range of options you can configure of which some will work and some will break. 18 | To fully optimise your sanboxing you need a deeper understanding of what capabilities, system calls, etc. you service needs. 19 | 20 | That's beyond the scope of this piece though. 21 | 22 | In general the idea of sandboxing in this context is to isolate the services you host as much as possible from the system without breaking them. 23 | Additional features such as `CapabilityBoundingSet` and `SystemCallFilter` will even limit what your service is _allowed_ to do. 24 | 25 | 26 | ## 3. Why should I sanbox my services? 27 | 28 | A lot of services are by default ran as root, or have a need for some (subset of) elevated privileges. 29 | This exposes a service to a lot of system data and resources, as you know root can do anything, and so could your service - potentionally. 30 | 31 | A few examples of what a random service ran as root _could_ do: 32 | - Reboot the system 33 | - Load arbitrary kernel modules 34 | - Modify running tasks 35 | - Dump some random proces' memory 36 | - And much, much more. 37 | 38 | 39 | # Getting started 40 | 41 | 42 | ### To be root, or not to be root. 43 | An intial question to ask yourself is: Does my service run as root? And if so, does it need to? 44 | 45 | I've seen many examples or services that run as root just because the developer doesn't know how to properly set permissions. 46 | This can't be fully blamed on the developer, after all they're a developer, not a sysadmin. (And I'm not going to point to any project as examples, because we're not going to shame people here :) ) 47 | 48 | On the other hand there _are_ developers that package their services as rootless or instruct us on how to run them as a normal user. 49 | 50 | So how do you determine if your service needs to run as root? Some very popular ones - such as nginx, or php-fpm - run their master process as root, but why? 51 | Well there are a few reasons for that, here are some: 52 | - Nginx uses ports < 1024. By default this requires the `NET_BIND` capability (more on capabilities later). A capability like this can only be assigned to a privileged process, or a process requesting said privileged (which require `execve` or similar). 53 | - Nginx can do - in special setups - some freaky stuff with sockets and all kind of TCP connections, which might require the spawning of `AF_UNIX` or `AF_NETLINK` sockets. 54 | 55 | So while there are workarounds to run nginx completely rootless it's massively unpractical and easy to break, and obviously beyond the scope of this topic. 56 | 57 | 58 | ### What do I need to sandbox? 59 | Simple, as much as possible of course! 60 | Some services - especially when they start requiring device access, or do advanced things - might not be that sandbox-able at all. 61 | So in my opinion the main idea is to see how strict we can make our sandboxing without breaking (too much) functionality. 62 | 63 | Of course you can try to limit a service's functionality if you know you won't need parts of it. In the nginx example you could try to revoke the AF_UNIX or AF_NETLINK socket permissions. 64 | If that works is dependent on how the program request those rights. 65 | If the program checks those permissions on launch it may break, if it checks them only if you configure the program to use them, you might be in luck. 66 | 67 | 68 | ### Capabilities 69 | There are a few key concepts one needs to understand here - one part of this are [Linux Capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html). 70 | Simply put: Linux capabilities can be compared to a set of admin roles on, let's say a discord server. 71 | 72 | There are (at the time of writing) a total of 41 capabilities, some of which you'll probably never use. 73 | 74 | A few examples of these capabilites are: 75 | - *CAP_SYS_BOOT* Allows the program to reboot the system 76 | - *CAP_SYS_MODULE* Allows the program to load/unload kernel modules 77 | - *CAP_NET_BIND_SERVICE* Allows the program to use ports < 1024. 78 | 79 | Nginx, our example service, obviously doesn't require permissions to reboot the system, or to load/unload kernel modules. 80 | These are capabilities we can easily revoke, so in case you nginx process might become compromised and starts to run arbitrary code it won't be able to 'just' mess with your kernel. 81 | The more capabilities you revoke, the more it'll become a trial-and-error thing. Unless you know in-depth what your service does and doesn't use of course ;) 82 | 83 | These kind of capabilities are an example of 'permissions' you can control with Systemd. 84 | 85 | ### Namespaces 86 | In the rest of this article there will be plenty of mentions on Namespaces. 87 | I recommend you to read a bit about what a namespace is. 88 | Basically, a namespace allows systemd in this case to isolate a process in it's own 'bubble'. This could be a filesystem namespace, but network namespaces might be used as well. 89 | Namespaces can be used for both isolation and functionality. 90 | A big user of network namespaces is docker, which uses the function to stop containers from talking to eachother when they're not supposed to. 91 | Another example of network namespaces is a scenario in which a user utilizes a VPN, but only wants certain services to use that VPN. In that case he can install the VPN adapter in a separate network namespace, which he may assign services to. 92 | 93 | __Further reading__ 94 | [Linux Namespaces - RedHat](https://www.redhat.com/sysadmin/7-linux-namespaces) 95 | [Linux Namespaces and container technology - Medium](https://medium.com/geekculture/linux-namespaces-container-technology-a09da0813247) 96 | 97 | ## Sanboxing features 98 | > Note: All of the following features can be found as well in the [systemd manual](https://www.freedesktop.org/software/systemd/man/systemd.exec.html) 99 | 100 | I'm going to walk you through most of the sandboxing features Systemd offers. Some are rarely used or just not applicable and are therefore omitted. You can - of course - refer to the man page if you want to know more about them. 101 | 102 | __ProtectSystem__ 103 | `ProtectSystem` accepts the values: `true`, `false`, `strict` or `full`. 104 | Simply put: this option allows you to make parts of your filesystem read-only with a single command, generally this does the following 105 | | Value | Action | 106 | | -- | -- | 107 | | `false` | No changes | 108 | | `true` | Mounts `/usr`, `/boot` and `/efi` (if applicable) as read-only | 109 | | `full` | The same as `true` but adds `/etc` to the list | 110 | | `strict` | Mounts the whole FS as read-only except for the API subtrees (`/proc`, `/sys` and `/dev`) | 111 | 112 | There are other options available to protect the paths that aren't covered by `ProtectSystem`. Additionally, you might use `ReadPaths` or `ReadWritePaths` to further fine-tune FS access. 113 | 114 | 115 | __ProtectHome__ 116 | `ProtectHome` accepts the values: `true`, `false`, `read-only` or `tmpfs` 117 | This option is redundant and also covered by others when `read-only` or `tmpf` is used. If `true`, this mounts `/home`, `/root` and `/run/user` as empty, inaccessible directories. 118 | 119 | 120 | __ReadWritePaths, ReadOnlyPaths, InaccessiblePaths, ExecPaths, NoExecPaths__ 121 | The names of these options generally imply their workings. 122 | Paths may be prepended by `-` in which case they'll be ignored if they don't exist (if not, the unit will fail to start). In case a path is prepended with `+` the path will be treated relative to the services' root directory. 123 | You may combine `+` and `-` as `-+`. 124 | Please note that the above options are recusive _by default_. 125 | 126 | One may nest `ReadWritePaths` inside of `ReadOnlyPaths` to allow write access in subdirectories of `ReadOnlyPaths`. The same goes for nesting `ExecPaths` in `NoExecPaths`. 127 | You can _not_ nest `ReadWritePaths` or `ReadOnlyPaths` within `InaccessiblePaths`. In case you want a structure similar to embedding accessible paths within `InaccessiblePaths` please see `TemporaryFileSystem`. 128 | 129 | When using `ProtectSystem=strict` one may use `ReadWritePaths` to make paths within the filesystem writable for the service. 130 | Keep in mind that for these options to be effective, you'll need to combine them with at least: `CapabilityBoundingset=~CAP_SYS_ADMIN` or `SystemCallFilter=~@mount` so the process can't circumvent the restrictions you've imposed. 131 | 132 | 133 | __TemporaryFileSystem__ 134 | Use `TemporaryFileSystem` to setup temporary file-system namespaces for the process. 135 | The option may be called more then once, in which case all previous calls are mounted as well. 136 | Calling the option as `TemporaryFileSystem=` will result in the list to be reset, and all previous tmpfs mounts to be dropped. 137 | 138 | You may specify other options with your mount points, prefixed by a colon `:`. In example: `TemporaryFileSystem=/var:ro` will mount /var as tmps and as read-only. Generally, most common mount options are accepted. 139 | This option may be used in a nesting-situation where one may for example do the following: 140 | ``` 141 | TemporaryFileSystem=/var:ro 142 | BindReadOnlyPaths=/var/lib/systemd 143 | 144 | ``` 145 | This results in the process being unable to see anything in /var, except for /var/lib/systemd 146 | 147 | 148 | __PrivateTmp__ 149 | This option is useful if you want a process to be able to write to standard temporary file folders, but also be unable to access anything in those folders that doesn't belong to said process. 150 | When `PrivateTmp` is set to `true`, systemd will mount a new filesystem namespace as /tmp and /usr/tmp which is to be used exclusively by processes under that systemd unit. 151 | Temporary files belonging to this service are deleted once the service is stopped. 152 | 153 | It is possible to create a situation where two separate systemd units may access the same `PrivateTmp` 'namespace' by using the `JoinsNamespaceOf` directive. 154 | 155 | 156 | __PrivateDevices__ 157 | When set to true, this option blocks access to most physical devices listed under /dev. 158 | This option sets up a new namespace as /dev, in which a process can only access pseudo-devices (such as /dev/null, /dev/zero) and the TTY subsystem (/dev/ttyXX). 159 | When set to true, this automatically revokes the _capabilities_: `CAP_SYS_RAWIO` and `CAP_MKNOD`. It also installs a system call filter blocking calls grouped under `@raw-io`. 160 | This option also implies: `DevicePolicy=closed` 161 | Also: In case the service is running either as non-root, or without the `SYS_CAP_ADMIN` capability, the option `NoNewPrivileges=yes` is implied. 162 | 163 | 164 | __PrivateNetwork__ 165 | When this option is set to `true`, and no other option is given, this essentially disables network access for a service, except on the loopback interface. 166 | This option mounts the service in a new network namespace, in which only a loopback interface is added. 167 | > Keep in mind, that due to the nature of netns, the `lo` device is not the same across different network namespaced. If you're running a service that's accessible on 127.0.0.1, then you won't be able to access it with the service mounted with this option. 168 | 169 | Additionally this option might be used in a scenario where a service is routed over a VPN (for example) in which the VPN adapter can be mounted in the same namespace by chaining systemd-units using the `Requires`, `After` and `JoinsNamespaceOf` directives. 170 | A user may also specify a hard path to a certain network namespace using `NetworkNamespacePath=`. Keep in mind that for `NetworkNamespacePath` to work, the namespace has exist at the moment the service is forked. 171 | 172 | 173 | __PrivateUsers__ 174 | This is useful if you desire to securely detach the service from the user/group database. 175 | Effectively this bars a service from learning about other users on the system, and it creates mappings to achieve that. 176 | 177 | To achieve this, systemd sets up a new user namespace for the processes and configures a minimal user and group mapping which maps the `root` user and group as well as the service's own user and group to themselves and everything else to the "nobody" user and group. 178 | From the service's perspective this means that everything owned by itself and root will be visible as owned by those users, but everything else will be mapped as `nobody`. Hence, effectively isolating the service from learning user/group names and IDs. 179 | 180 | 181 | __ProtectHostname__ 182 | When set to true, this prevents the system's hostname from being changes by the service. 183 | Due to the way this is set-up, this also prevents the service from noticing once a hostname has changed. Meaning you'll need to restart the service in order for it to recognise a changed hostname. 184 | 185 | 186 | __ProtectClock__ 187 | When set to true, this denies writes to both the system and hardware clock by the service. 188 | 189 | 190 | __ProtectKernelTunables__ 191 | This makes all kernel tuneables (of which most only need to be set at boot) accessible through `/proc/sys/`, `/sys/`, `/proc/sysrq-trigger`, `/proc/latency_stats`, `/proc/acpi`, `/proc/timer_stats`, `/proc/fs` and `/proc/irq` as read-only. 192 | This setting is recommended for most services. 193 | 194 | 195 | __ProtectKernelModules__ 196 | When true, disables the loading or unloading of kernel modules. 197 | This setting is recommended for services that don't need extra kernel modules to work. 198 | 199 | 200 | __ProtectKernelLogs__ 201 | Disables both read and write access to the kernel log ring. 202 | 203 | 204 | __ProtectControlGroups__ 205 | Mounts `/sys/fs/cgroup/` as read-only. 206 | This is recommended for most services as virtually no service (with the exception for most container-manager services) requires access to these paths. 207 | 208 | 209 | __RestrictAddressFamilies__ 210 | This option allows you to restrict the kinds of sockets a service may bind themselves to. 211 | You can set this to `none` to completely disable access to the `socket()` system call. You can use a space-separated allow list (i.e. `AF_INET AF_INET6`) of address families to restrict specific address families. 212 | Prefix your list with `~` to use it as deny- rather then a allow-list. 213 | Please note that this only affects sockets launched through the `socket()` system call, other means of accessing sockets (i.e. through [systemd sockets](https://www.freedesktop.org/software/systemd/man/systemd.socket.html#) or through the `socketpair()` system call) are still possible. 214 | 215 | 216 | __RestrictFileSystems__ 217 | Allows you to specify a set of space-separated filesystems a service can open files on. 218 | i.e.: `RestrictFileSystems=ext4 tmpfs` allows access to `ext4` and `tmpfs` filesystems, but denies access to others. 219 | 220 | 221 | __LockPersonality__ 222 | When set to true, this locks down the [personality(2)](http://man7.org/linux/man-pages/man2/personality.2.html) system call, preventing the service from changing execution domains or a personality set through the `Personality=` directive. 223 | 224 | 225 | __MemoryDenyWriteExecute__ 226 | If set to true, attempts to create memory mappings that are writable and executable at the same time, or to change existing memory mappings to become executable, or mapping shared memory segments as executable are denied. 227 | This installs a system-call filter, blocking calls from `mmap(2)`, `mprotect(2)`, `pkey_protect(2)` and `shmat(2)` in which the calls attempt to map memory as both writeable and executable. 228 | 229 | 230 | __RestrictRealtime__ 231 | If set to true, this option effectively blocks access to real-time process scheduling. This may be used in a situation where a process can attempt to use too much cpu time. Which in return could cause Denial-of-Service situations. 232 | 233 | 234 | __RestrictSUIDSGID__ 235 | If set to true, blocks the setting of SUID or GUID bits on files/folders/processes. 236 | This option is automatically implied if you're using the `DynamicUser` directive. 237 | 238 | 239 | __PrivateMounts__ 240 | This option is a one-way block in which systemd sets-up a new namespace for mounts created by the process. 241 | Effectively this means that a host cannot see mounts created by the service, but the service can see mounts created by the host. 242 | 243 | 244 | ## System call filtering 245 | > To be continued :) 246 | --------------------------------------------------------------------------------