-
Notifications
You must be signed in to change notification settings - Fork 0
54 lines (49 loc) · 1.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
[Unit]
Description=An @PROTOCOL@ tarpit on port %i
Requires=tarpyt-@PROTOCOL@@%i.socket
[Service]
Type=notify
ExecStart=@bindir@/tarpyt --protocol @PROTOCOL@ --log-level INFO
LogExtraFields=SYSLOG_IDENTIFIER="tarpyt-@PROTOCOL@-%i"
# Low CPU priority/resources
Nice=19
CPUWeight=idle
CPUQuota=10%
CPUSchedulingPolicy=idle
# Bound memory to prevent DDOS
# (20 MiB should be enough for anyone)
MemoryHigh=20M
ManagedOOMMemoryPressure=kill
# Run as a random user in a user namespace
PrivateUsers=yes
DynamicUser=yes
# Sandboxing
NoNewPrivileges=yes
CapabilityBoundingSet=
ProtectSystem=strict
ProtectHome=yes
PrivateDevices=yes
ProtectProc=invisible
PrivateTmp=yes
PrivateNetwork=yes
PrivateIPC=yes
ProtectHostname=yes
ProtectClock=yes
ProtectKernelLogs=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
LockPersonality=yes
KeyringMode=private
MemoryDenyWriteExecute=yes
PrivateMounts=yes
SystemCallFilter=@system-service
SystemCallArchitectures=native
DevicePolicy=closed
IPAddressDeny=any
ReadOnlyPaths=/
InaccessiblePaths=/etc /var