Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You could combine it with something like this

  SocketBindDeny=any
  SocketBindAllow=tcp:80
  SocketBindAllow=tcp:443
These ports should be denied by the kernel because they're already taken by httpd, and all other will be denied by bpf filters installed by systemd.

It feels like plugging holes in a dam, but that's what you do with popular operating systems.



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: