Learn-IT-Free

Youtuber @CodeWithWilliamJiamin's Website

DevOps & Cloud

Systemd Hardening for Background Workers on Small Servers

#devops, #operations, #security, #systemd

Systemd Hardening for Background Workers on Small Servers

Worker services often run with broad permissions by default. Tightening unit settings reduces blast radius without major infrastructure changes.

Step 1: run as dedicated service user

[Service]
User=worker
Group=worker

Step 2: lock down filesystem and privilege escalation

NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
ReadWritePaths=/var/lib/worker

Step 3: define restart and health behavior

Restart=on-failure
RestartSec=5
StartLimitBurst=5
StartLimitIntervalSec=60

Pitfall

Using root-run services for convenience. One compromised worker can touch unrelated system paths.

Verification

  • Worker writes only to explicitly allowed paths.
  • Crash loops are bounded and visible in journal.
  • Service startup remains stable after hardening flags.

Get New Tutorials by Email

No spam. Just clear, practical breakdowns you can apply right away.

Enjoy this tutorial?

Get new practical tech tutorials in your inbox.

Related Post

DevOps & Cloud

Designing systemd workers That Actually Holds Up in DevOps & Cloud

DevOps & Cloud

One Big Mistake in DevOps & Cloud: deploying in-place without rollback pointer

DevOps & Cloud

Why Deploying in-place without rollback pointer Breaks DevOps & Cloud Projects

You missed

iOS & Apple Development

How to Build an API-First App Release Workflow That Stays Reliable

General Software Engineering

How to plan failure analysis in General Software Engineering

DevOps & Cloud

Designing systemd workers That Actually Holds Up in DevOps & Cloud

Backend & APIs

Why Retrying terminal failures forever Breaks Backend & APIs Projects