Alan Orth
8dd7663b3c
This adds Abuse.sh's list of IPs using blacklisted SSL certificates to nftables. These IPs are high confidence indicators of compromise and we should not route them. The list is updated daily by a systemd timer. See: https://sslbl.abuse.ch/blacklist/
28 lines
909 B
Desktop File
28 lines
909 B
Desktop File
[Unit]
|
|
Description=Update Abuse.ch SSL Blacklist IPs
|
|
# This service will fail if nftables is not running so we use Requires to make
|
|
# sure that nftables is started.
|
|
Requires=nftables.service
|
|
# Make sure the network is up and nftables is started
|
|
After=network-online.target nftables.service
|
|
Wants=network-online.target update-abusech-nftables.timer
|
|
|
|
[Service]
|
|
# https://www.ctrl.blog/entry/systemd-service-hardening.html
|
|
# Doesn't need access to /home or /root
|
|
ProtectHome=true
|
|
# Possibly only works on Ubuntu 18.04+
|
|
ProtectKernelTunables=true
|
|
ProtectSystem=full
|
|
# Newer systemd can use ReadWritePaths to list files, but this works everywhere
|
|
ReadWriteDirectories=/etc/nftables
|
|
PrivateTmp=true
|
|
WorkingDirectory=/var/tmp
|
|
|
|
SyslogIdentifier=update-abusech-nftables
|
|
ExecStart=/usr/bin/flock -x update-abusech-nftables.lck \
|
|
/usr/local/bin/update-abusech-nftables.sh
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|