From d7541db6591704f68ed9e6870cbbab9b4a439dd2 Mon Sep 17 00:00:00 2001 From: analotia <71077389+analotia@users.noreply.github.com> Date: Fri, 18 Sep 2020 10:22:32 +0300 Subject: [PATCH 1/9] Hardening and more for the systemd service Performance improvements, auto-restart on failure to prevent unattended routers from shutting down by accident, and leveraging systemd's security features. --- contrib/i2pd.service | 42 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 36 insertions(+), 6 deletions(-) diff --git a/contrib/i2pd.service b/contrib/i2pd.service index 8ce851b0..68258d3d 100644 --- a/contrib/i2pd.service +++ b/contrib/i2pd.service @@ -1,21 +1,26 @@ +# /etc/systemd/system/i2pd.service [Unit] Description=I2P Router written in C++ Documentation=man:i2pd(1) https://i2pd.readthedocs.io/en/latest/ After=network.target +ConditionFileIsExecutable=/usr/sbin/i2pd [Service] User=i2pd Group=i2pd +PermissionsStartOnly=yes + RuntimeDirectory=i2pd RuntimeDirectoryMode=0700 LogsDirectory=i2pd LogsDirectoryMode=0700 -Type=forking -ExecStart=/usr/sbin/i2pd --conf=/etc/i2pd/i2pd.conf --tunconf=/etc/i2pd/tunnels.conf --tunnelsdir=/etc/i2pd/tunnels.conf.d --pidfile=/run/i2pd/i2pd.pid --logfile=/var/log/i2pd/i2pd.log --daemon --service +Type=exec +Environment="DAEMON_OPTS=--conf=/etc/i2pd/i2pd.conf --tunconf=/etc/i2pd/tunnels.conf --tunnelsdir=/etc/i2pd/tunnels.conf.d --pidfile=/run/i2pd/i2pd.pid --logfile=/var/log/i2pd/i2pd.log --service" +EnvironmentFile=-/etc/default/i2pd +ExecStart=/usr/sbin/i2pd $DAEMON_OPTS ExecReload=/bin/sh -c "kill -HUP $MAINPID" PIDFile=/run/i2pd/i2pd.pid -### Uncomment, if auto restart needed -#Restart=on-failure +Restart=on-failure KillSignal=SIGQUIT # If you have the patience waiting 10 min on restarting/stopping it, uncomment this. @@ -23,10 +28,35 @@ KillSignal=SIGQUIT #KillSignal=SIGINT #TimeoutStopSec=10m -# If you have problems with hanging i2pd, you can try increase this -LimitNOFILE=4096 +LimitNOFILE=65536 # To enable write of coredump uncomment this #LimitCORE=infinity +# Hardening +NoNewPrivileges=yes +PrivateTmp=yes +PrivateUsers=true +PrivateDevices=yes +ProtectHome=yes +ProtectSystem=full +ProtectClock=true +ProtectControlGroups=yes +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectSystem=strict +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=cgroup ipc mnt pid user uts +RestrictRealtime=true +RestrictSUIDSGID=true +RemoveIPC=true +ReadOnlyDirectories=/ +ReadWriteDirectories=-/proc +ReadWriteDirectories=-/var/lib/i2pd +ReadWriteDirectories=-/var/log/i2pd +ReadWriteDirectories=-/run +CapabilityBoundingSet= + [Install] WantedBy=multi-user.target From 54ee0a14c3c19bcbbe33bd4df79c6822f270c600 Mon Sep 17 00:00:00 2001 From: analotia <71077389+analotia@users.noreply.github.com> Date: Fri, 18 Sep 2020 10:24:20 +0300 Subject: [PATCH 2/9] Update i2pd.service --- contrib/i2pd.service | 1 - 1 file changed, 1 deletion(-) diff --git a/contrib/i2pd.service b/contrib/i2pd.service index 68258d3d..43a0f1ad 100644 --- a/contrib/i2pd.service +++ b/contrib/i2pd.service @@ -1,4 +1,3 @@ -# /etc/systemd/system/i2pd.service [Unit] Description=I2P Router written in C++ Documentation=man:i2pd(1) https://i2pd.readthedocs.io/en/latest/ From e628483c31b56d1932cb9db22e09f3253cc9832f Mon Sep 17 00:00:00 2001 From: analotia Date: Fri, 18 Sep 2020 16:41:13 +0300 Subject: [PATCH 3/9] Remove /proc line --- contrib/i2pd.service | 1 - 1 file changed, 1 deletion(-) diff --git a/contrib/i2pd.service b/contrib/i2pd.service index 43a0f1ad..0bd6d8ce 100644 --- a/contrib/i2pd.service +++ b/contrib/i2pd.service @@ -51,7 +51,6 @@ RestrictRealtime=true RestrictSUIDSGID=true RemoveIPC=true ReadOnlyDirectories=/ -ReadWriteDirectories=-/proc ReadWriteDirectories=-/var/lib/i2pd ReadWriteDirectories=-/var/log/i2pd ReadWriteDirectories=-/run From 2cb5c0df2c74fb5cdcf298ba4b7c300478a5ea22 Mon Sep 17 00:00:00 2001 From: analotia Date: Fri, 18 Sep 2020 17:20:03 +0300 Subject: [PATCH 4/9] change i2pd loglevel in systemd service --- contrib/i2pd.service | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/contrib/i2pd.service b/contrib/i2pd.service index 0bd6d8ce..3b9aa672 100644 --- a/contrib/i2pd.service +++ b/contrib/i2pd.service @@ -14,12 +14,13 @@ RuntimeDirectoryMode=0700 LogsDirectory=i2pd LogsDirectoryMode=0700 Type=exec -Environment="DAEMON_OPTS=--conf=/etc/i2pd/i2pd.conf --tunconf=/etc/i2pd/tunnels.conf --tunnelsdir=/etc/i2pd/tunnels.conf.d --pidfile=/run/i2pd/i2pd.pid --logfile=/var/log/i2pd/i2pd.log --service" +Environment="DAEMON_OPTS=--conf=/etc/i2pd/i2pd.conf --tunconf=/etc/i2pd/tunnels.conf --tunnelsdir=/etc/i2pd/tunnels.conf.d --pidfile=/run/i2pd/i2pd.pid --logfile=/var/log/i2pd/i2pd.log --loglevel=error --service" EnvironmentFile=-/etc/default/i2pd ExecStart=/usr/sbin/i2pd $DAEMON_OPTS ExecReload=/bin/sh -c "kill -HUP $MAINPID" PIDFile=/run/i2pd/i2pd.pid -Restart=on-failure +### Uncomment, if auto restart needed +Restart=always KillSignal=SIGQUIT # If you have the patience waiting 10 min on restarting/stopping it, uncomment this. @@ -27,6 +28,7 @@ KillSignal=SIGQUIT #KillSignal=SIGINT #TimeoutStopSec=10m +# If you have problems with hanging i2pd, you can try increase this LimitNOFILE=65536 # To enable write of coredump uncomment this #LimitCORE=infinity @@ -51,6 +53,7 @@ RestrictRealtime=true RestrictSUIDSGID=true RemoveIPC=true ReadOnlyDirectories=/ +#ReadWriteDirectories=-/proc ReadWriteDirectories=-/var/lib/i2pd ReadWriteDirectories=-/var/log/i2pd ReadWriteDirectories=-/run From c916616e3725372f6ad7597420cc4b0f9f70751c Mon Sep 17 00:00:00 2001 From: analotia Date: Fri, 18 Sep 2020 17:25:21 +0300 Subject: [PATCH 5/9] fixing --- contrib/i2pd.service | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/contrib/i2pd.service b/contrib/i2pd.service index 3b9aa672..662a4cb0 100644 --- a/contrib/i2pd.service +++ b/contrib/i2pd.service @@ -19,8 +19,7 @@ EnvironmentFile=-/etc/default/i2pd ExecStart=/usr/sbin/i2pd $DAEMON_OPTS ExecReload=/bin/sh -c "kill -HUP $MAINPID" PIDFile=/run/i2pd/i2pd.pid -### Uncomment, if auto restart needed -Restart=always +Restart=on-failure KillSignal=SIGQUIT # If you have the patience waiting 10 min on restarting/stopping it, uncomment this. @@ -28,7 +27,6 @@ KillSignal=SIGQUIT #KillSignal=SIGINT #TimeoutStopSec=10m -# If you have problems with hanging i2pd, you can try increase this LimitNOFILE=65536 # To enable write of coredump uncomment this #LimitCORE=infinity @@ -53,7 +51,6 @@ RestrictRealtime=true RestrictSUIDSGID=true RemoveIPC=true ReadOnlyDirectories=/ -#ReadWriteDirectories=-/proc ReadWriteDirectories=-/var/lib/i2pd ReadWriteDirectories=-/var/log/i2pd ReadWriteDirectories=-/run From 155125a5bf8c6217eb9a4f80f337e4058c75abdb Mon Sep 17 00:00:00 2001 From: analotia Date: Fri, 18 Sep 2020 18:20:05 +0300 Subject: [PATCH 6/9] more hardening --- contrib/i2pd.service | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/contrib/i2pd.service b/contrib/i2pd.service index 662a4cb0..b5310809 100644 --- a/contrib/i2pd.service +++ b/contrib/i2pd.service @@ -35,6 +35,7 @@ LimitNOFILE=65536 NoNewPrivileges=yes PrivateTmp=yes PrivateUsers=true +DevicePolicy=closed PrivateDevices=yes ProtectHome=yes ProtectSystem=full @@ -46,7 +47,7 @@ ProtectKernelModules=yes ProtectKernelTunables=yes ProtectSystem=strict RestrictAddressFamilies=AF_INET AF_INET6 -RestrictNamespaces=cgroup ipc mnt pid user uts +RestrictNamespaces=true RestrictRealtime=true RestrictSUIDSGID=true RemoveIPC=true @@ -55,6 +56,11 @@ ReadWriteDirectories=-/var/lib/i2pd ReadWriteDirectories=-/var/log/i2pd ReadWriteDirectories=-/run CapabilityBoundingSet= +UMask=0077 +LockPersonality=true +MemoryDenyWriteExecute=true +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete [Install] WantedBy=multi-user.target From dbb43eeb31230ee06828db47b3bf48d98e992730 Mon Sep 17 00:00:00 2001 From: analotia Date: Fri, 18 Sep 2020 18:21:54 +0300 Subject: [PATCH 7/9] Update i2pd.service --- contrib/i2pd.service | 1 - 1 file changed, 1 deletion(-) diff --git a/contrib/i2pd.service b/contrib/i2pd.service index b5310809..ff91b726 100644 --- a/contrib/i2pd.service +++ b/contrib/i2pd.service @@ -35,7 +35,6 @@ LimitNOFILE=65536 NoNewPrivileges=yes PrivateTmp=yes PrivateUsers=true -DevicePolicy=closed PrivateDevices=yes ProtectHome=yes ProtectSystem=full From aa6539fb46a90405f689243dc7385b2d1100be68 Mon Sep 17 00:00:00 2001 From: analotia Date: Thu, 29 Oct 2020 00:31:01 +0200 Subject: [PATCH 8/9] Update i2pd.service --- contrib/i2pd.service | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/contrib/i2pd.service b/contrib/i2pd.service index ff91b726..5e145fd5 100644 --- a/contrib/i2pd.service +++ b/contrib/i2pd.service @@ -27,7 +27,8 @@ KillSignal=SIGQUIT #KillSignal=SIGINT #TimeoutStopSec=10m -LimitNOFILE=65536 + # If you have problems with hanging i2pd, you can try increase this +LimitNOFILE=4096 # To enable write of coredump uncomment this #LimitCORE=infinity From a73ff48d56e82c41921cd92cc653d89d5ff7ec40 Mon Sep 17 00:00:00 2001 From: analotia Date: Thu, 29 Oct 2020 00:31:40 +0200 Subject: [PATCH 9/9] Update i2pd.service --- contrib/i2pd.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/i2pd.service b/contrib/i2pd.service index 5e145fd5..9efcb506 100644 --- a/contrib/i2pd.service +++ b/contrib/i2pd.service @@ -27,7 +27,7 @@ KillSignal=SIGQUIT #KillSignal=SIGINT #TimeoutStopSec=10m - # If you have problems with hanging i2pd, you can try increase this +# If you have problems with hanging i2pd, you can try increase this LimitNOFILE=4096 # To enable write of coredump uncomment this #LimitCORE=infinity