Update README.md

.gitignore

@@ -162,4 +162,5 @@ cython_debug/
 
 # Others
 id_rsa_host
+sockets/
 *.sock

README.md

@@ -73,7 +73,17 @@ We have deployed collabore tunnel on a server running Ubuntu Server 22.04.
 ### Install required packages
 
 ```
-apt install python3-pip nginx
+apt install python3-pip python3-venv nginx
+```
+
+### Create `collabore-tunnel` user
+
+```
+groupadd collabore-tunnel
+```
+
+```
+useradd -r -s /sbin/nologin -g collabore-tunnel collabore-tunnel
 ```
 
 ### Retrieve sources
@@ -82,18 +92,28 @@ apt install python3-pip nginx
 mkdir /opt/collabore-tunnel
 ```
 
+```
+chown collabore-tunnel:collabore-tunnel /opt/collabore-tunnel
+```
+
 ```
 cd /opt/collabore-tunnel
 ```
 
 ```
-git clone https://github.com/ClubElecINSSET/collabore-tunnel .
+runuser -u collabore-tunnel -- git clone https://github.com/ClubElecINSSET/collabore-tunnel .
+```
+
+### Create Python virtual environment
+
+```
+runuser -u collabore-tunnel -- virtualenv .env
 ```
 
 ### Install Python dependencies
 
 ```
-pip install -r requirements.txt
+runuser -u collabore-tunnel -- .env/bin/pip install -r requirements.txt
 ```
 
 ### Install NGINX virtualhosts

collabore-tunnel.service

@@ -3,43 +3,61 @@ Description=collabore tunnel  Make your local services accessible to all on the
 After=network.target nginx.service
 
 [Service]
-Environment=UNIX_SOCKETS_DIRECTORY=/tmp/collabore-tunnel
+Type=exec
+
+# environment variables
+Environment=HOME=/opt/collabore-tunnel/
+Environment=UNIX_SOCKETS_DIRECTORY=/opt/collabore-tunnel/sockets
 Environment=SERVER_HOSTNAME=tnl.clb.re
 Environment=CONFIG_DIRECTORY=.
 Environment=WELCOME_BANNER_FILE=./welcome_banner.txt
 Environment=RATE_LIMIT_COUNT=5
 Environment=RATE_LIMIT_INTERVAL=60
 Environment=MAX_CONNECTIONS_PER_IP=5
-Environment=TIMEOUT=120
 Environment=SSH_SERVER_HOST=0.0.0.0
 Environment=SSH_SERVER_PORT=22
 Environment=LOG_DEPTH=2
+
+# working directory and exec
 WorkingDirectory=/opt/collabore-tunnel
-ExecStart=/usr/bin/python3 main.py
+ExecStart=/opt/collabore-tunnel/.env/bin/python3 main.py
-ExecStop=/bin/kill -9 $MAINPID
+ExecStop=/usr/bin/kill -9 $MAINPID
-ProtectSystem=strict
+
-ReadWritePaths=/opt/collabore-tunnel /tmp
+# filesystem
-ReadOnlyPaths=/usr/bin
+TemporaryFileSystem=/:ro
-InaccessiblePaths=...
+BindReadOnlyPaths=/lib/ /lib64/ /usr/lib/ /usr/lib64/ /opt/collabore-tunnel/
-ProtectHome=true
+BindReadOnlyPaths=/usr/bin/python3 /usr/bin/kill
-ProtectProc=invisible
+BindPaths=/opt/collabore-tunnel/sockets/
-ProtectKernelTunables=true
+BindPaths=/opt/collabore-tunnel/id_rsa_host
-ProtectControlGroups=true
+PrivateTmp=true
-NoNewPrivileges=true
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-RestrictNamespaces=uts ipc pid cgroup
-RestrictSUIDSGID=true
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
-RestrictRealtime=yes
-MemoryDenyWriteExecute=yes
-LockPersonality=yes
-IPAddressAllow=192.168.1.0/24
 PrivateDevices=true
+ProtectControlGroups=true
 ProtectKernelModules=true
-ProtectKernelLogs=true
+ProtectKernelTunables=true
-ProtectClock=true
+ReadWritePaths=
+
+# network
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+
+# misc
 SystemCallArchitectures=native
 SystemCallFilter=
+NoNewPrivileges=true
+PrivateUsers=true
+RestrictRealtime=true
+MemoryDenyWriteExecute=true
+ProtectKernelLogs=true
+LockPersonality=true
+ProtectHostname=true
+RemoveIPC=true
+RestrictSUIDSGID=true
+ProtectClock=true
+ProtectProc=invisible
+
+# capabilities
+RestrictNamespaces=uts ipc pid cgroup
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=
 
 [Install]
 WantedBy=multi-user.target