highperfocused/raspiblitz
1
0
Fork 0
mirror of https://github.com/raspiblitz/raspiblitz.git synced 2025-09-25 19:21:57 +02:00
Code Issues Packages Projects Releases Wiki Activity

apply hardening measures to all systemd services

Browse Source 
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
This commit is contained in:
openoms
2021-06-02 09:18:29 +01:00
parent 21a1ed0f1e
commit 2042167e8e
22 changed files with 134 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
SECURITY.md
View File

@@ -49,6 +49,7 @@ Ensure that you put quotes around fingerprints containing spaces if importing wi
# Physical Security
* The lightning wallet and user interfaces are password protected by default so this has more privacy implications (in the case of physical theft) than security.
* Basic hardening measures are applied to all systemd services
* Optional log in through SSH using a hardware wallet.
* LUKS encryption would be welcome in the future.

6
home.admin/assets/background.service
View File

@@ -20,5 +20,11 @@ TimeoutSec=10
RestartSec=10
StandardOutput=journal
# Hardening measures
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
[Install]
WantedBy=multi-user.target

6
home.admin/assets/bitcoind.service
View File

@@ -23,5 +23,11 @@ RestartSec=30
StandardOutput=null
StandardError=journal
# Hardening measures
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
[Install]
WantedBy=multi-user.target

6
home.admin/assets/bootstrap.service
View File

@@ -14,5 +14,11 @@ ExecStart=/home/admin/_bootstrap.sh
StandardOutput=journal
StandardError=journal
# Hardening measures
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
[Install]
WantedBy=multi-user.target

6
home.admin/assets/litecoind.service
View File

@@ -23,5 +23,11 @@ RestartSec=30
StandardOutput=null
StandardError=journal
# Hardening measures
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
[Install]
WantedBy=multi-user.target

6
home.admin/assets/lnd.service
View File

@@ -24,5 +24,11 @@ RestartSec=60
StandardOutput=null
StandardError=journal
# Hardening measures
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
[Install]
WantedBy=multi-user.target

6
home.admin/config.scripts/bonus.btc-rpc-explorer.sh
View File

@@ -207,6 +207,12 @@ User=btcrpcexplorer
Restart=on-failure
RestartSec=600
# Hardening measures
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
[Install]
WantedBy=multi-user.target
EOF

7
home.admin/config.scripts/bonus.btcpayserver.sh
View File

@@ -379,6 +379,7 @@ Type=simple
PIDFile=/run/nbxplorer/nbxplorer.pid
Restart=on-failure
# Hardening measures
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
@@ -461,6 +462,12 @@ Type=simple
PIDFile=/run/btcpayserver/btcpayserver.pid
Restart=on-failure
# Hardening measures
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
[Install]
WantedBy=multi-user.target
" | sudo tee /etc/systemd/system/btcpayserver.service

6
home.admin/config.scripts/bonus.circuitbreaker.sh
View File

@@ -106,6 +106,12 @@ TimeoutSec=60
Restart=always
RestartSec=60
# Hardening measures
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
[Install]
WantedBy=multi-user.target
" | sudo tee -a /etc/systemd/system/circuitbreaker.service

6
home.admin/config.scripts/bonus.cryptoadvance-specter.sh
View File

@@ -289,6 +289,12 @@ RestartSec=30
StandardOutput=null
StandardError=journal
# Hardening measures
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
[Install]
WantedBy=multi-user.target
EOF

6
home.admin/config.scripts/bonus.electrs.sh
View File

@@ -408,6 +408,12 @@ TimeoutSec=60
Restart=always
RestartSec=60
# Hardening measures
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
[Install]
WantedBy=multi-user.target
" | sudo tee -a /etc/systemd/system/electrs.service

6
home.admin/config.scripts/bonus.faraday.sh
View File

@@ -221,6 +221,12 @@ RestartSec=30
StandardOutput=null
StandardError=journal
# Hardening measures
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
[Install]
WantedBy=multi-user.target
" | sudo tee -a /etc/systemd/system/faraday.service

6
home.admin/config.scripts/bonus.kindle-display.sh
View File

@@ -127,6 +127,12 @@ Restart=on-failure
StartLimitIntervalSec=600
StartLimitBurst=2
# Hardening measures
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
[Install]
WantedBy=multi-user.target
EOF

6
home.admin/config.scripts/bonus.lit.sh
View File

@@ -291,6 +291,12 @@ TimeoutSec=60
Restart=always
RestartSec=60
# Hardening measures
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
[Install]
WantedBy=multi-user.target
" | sudo tee -a /etc/systemd/system/litd.service

6
home.admin/config.scripts/bonus.lnbits.sh
View File

@@ -328,6 +328,12 @@ RestartSec=30
StandardOutput=null
StandardError=journal
# Hardening measures
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
[Install]
WantedBy=multi-user.target
EOF

6
home.admin/config.scripts/bonus.loop.sh
View File

@@ -121,6 +121,12 @@ TimeoutSec=60
Restart=always
RestartSec=60
# Hardening measures
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
[Install]
WantedBy=multi-user.target
" | sudo tee -a /etc/systemd/system/loopd.service

6
home.admin/config.scripts/bonus.mempool.sh
View File

@@ -255,6 +255,12 @@ User=mempool
Restart=on-failure
RestartSec=600
# Hardening measures
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
[Install]
WantedBy=multi-user.target
EOF

6
home.admin/config.scripts/bonus.pool.sh
View File

@@ -119,6 +119,12 @@ TimeoutSec=60
Restart=always
RestartSec=60
# Hardening measures
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
[Install]
WantedBy=multi-user.target
" | sudo tee /etc/systemd/system/poold.service

12
home.admin/config.scripts/bonus.rtl.sh
View File

@@ -255,6 +255,12 @@ RestartSec=30
StandardOutput=null
StandardError=journal
# Hardening measures
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
[Install]
WantedBy=multi-user.target
EOF
@@ -290,6 +296,12 @@ RestartSec=30
StandardOutput=null
StandardError=journal
# Hardening measures
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
[Install]
WantedBy=multi-user.target
" | sudo tee /etc/systemd/system/${netprefix}${typeprefix}RTL.service

6
home.admin/config.scripts/bonus.sphinxrelay.sh
View File

@@ -442,6 +442,12 @@ RestartSec=30
StandardOutput=journal
StandardError=journal
# Hardening measures
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
[Install]
WantedBy=multi-user.target
EOF

6
home.admin/config.scripts/bonus.thunderhub.sh
View File

@@ -223,6 +223,12 @@ RestartSec=30
StandardOutput=null
StandardError=journal
# Hardening measures
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
[Install]
WantedBy=multi-user.target
" | sudo tee /etc/systemd/system/thunderhub.service

6
home.admin/config.scripts/internet.sshtunnel.py
View File

@@ -34,6 +34,12 @@ Environment="AUTOSSH_GATETIME=0"
ExecStart=/usr/bin/autossh [MONITORING-PORT] -N -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=2 [PLACEHOLDER]
StandardOutput=journal
# Hardening measures
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
[Install]
WantedBy=multi-user.target
"""