]>
Commit | Line | Data |
---|---|---|
6b557d34 | 1 | ############ THESE SETTINGS ARE REQUIRED ############ |
cb64b9ac | 2 | |
3 | ######################################################################## | |
4 | # | |
5 | # SECURE_LOG: the log file that contains sshd logging info | |
6 | # if you are not sure, grep "sshd:" /var/log/* | |
7 | # | |
8 | # The file to process can be overridden with the --file command line | |
9 | # argument | |
10 | # | |
0dd10d1d | 11 | # Redhat or Fedora Core: |
cb64b9ac | 12 | SECURE_LOG = /var/log/secure |
13 | # | |
0dd10d1d | 14 | # Mandrake, FreeBSD or OpenBSD: |
cb64b9ac | 15 | #SECURE_LOG = /var/log/auth.log |
16 | # | |
17 | # SuSE: | |
18 | #SECURE_LOG = /var/log/messages | |
19 | # | |
20 | ######################################################################## | |
21 | ||
22 | ######################################################################## | |
23 | # HOSTS_DENY: the file which contains restricted host access information | |
24 | # | |
6b557d34 | 25 | # Most operating systems: |
cb64b9ac | 26 | HOSTS_DENY = /etc/tcpd/hosts.deny |
27 | # | |
6b557d34 | 28 | # Some BSD (FreeBSD) Unixes: |
29 | #HOSTS_DENY = /etc/hosts.allow | |
30 | # | |
31 | # Another possibility (also see the next option): | |
32 | #HOSTS_DENY = /etc/hosts.evil | |
33 | ####################################################################### | |
34 | ||
35 | ||
36 | ######################################################################## | |
37 | # PURGE_DENY: removed HOSTS_DENY entries that are older than this time | |
38 | # when DenyHosts is invoked with the --purge flag | |
39 | # | |
40 | # format is: i[dhwmy] | |
41 | # Where 'i' is an integer (eg. 7) | |
42 | # 'm' = minutes | |
43 | # 'h' = hours | |
44 | # 'd' = days | |
45 | # 'w' = weeks | |
46 | # 'y' = years | |
47 | # | |
48 | # never purge: | |
49 | PURGE_DENY = | |
50 | # | |
51 | # purge entries older than 1 week | |
52 | #PURGE_DENY = 1w | |
53 | # | |
54 | # purge entries older than 5 days | |
55 | #PURGE_DENY = 5d | |
cb64b9ac | 56 | ####################################################################### |
57 | ||
58 | ||
59 | ####################################################################### | |
60 | # BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY | |
61 | # | |
62 | # man 5 host_access for details | |
63 | # | |
6b557d34 | 64 | # eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1 |
cb64b9ac | 65 | # |
66 | # To block all services for the offending host: | |
67 | #BLOCK_SERVICE = ALL | |
68 | # To block only sshd: | |
6b557d34 | 69 | BLOCK_SERVICE = sshd |
70 | # To only record the offending host and nothing else (if using | |
71 | # an auxilary file to list the hosts). Refer to: | |
72 | # http://denyhosts.sourceforge.net/faq.html#aux | |
73 | #BLOCK_SERVICE = | |
cb64b9ac | 74 | # |
75 | ####################################################################### | |
76 | ||
6b557d34 | 77 | |
cb64b9ac | 78 | ####################################################################### |
79 | # | |
0dd10d1d MB |
80 | # DENY_THRESHOLD_INVALID: block each host after the number of failed login |
81 | # attempts has exceeded this value. This value applies to invalid | |
82 | # user login attempts (eg. non-existent user accounts) | |
cb64b9ac | 83 | # |
0dd10d1d | 84 | DENY_THRESHOLD_INVALID = 3 |
cb64b9ac | 85 | # |
86 | ####################################################################### | |
87 | ||
0dd10d1d MB |
88 | ####################################################################### |
89 | # | |
90 | # DENY_THRESHOLD_VALID: block each host after the number of failed | |
91 | # login attempts has exceeded this value. This value applies to valid | |
92 | # user login attempts (eg. user accounts that exist in /etc/passwd) except | |
93 | # for the "root" user | |
94 | # | |
95 | DENY_THRESHOLD_VALID = 10 | |
96 | # | |
97 | ####################################################################### | |
98 | ||
99 | ####################################################################### | |
100 | # | |
101 | # DENY_THRESHOLD_ROOT: block each host after the number of failed | |
102 | # login attempts has exceeded this value. This value applies to | |
103 | # "root" user login attempts only. | |
104 | # | |
105 | DENY_THRESHOLD_ROOT = 1 | |
106 | # | |
107 | ####################################################################### | |
108 | ||
109 | ||
cb64b9ac | 110 | ####################################################################### |
111 | # | |
112 | # WORK_DIR: the path that DenyHosts will use for writing data to | |
0dd10d1d MB |
113 | # (it will be created if it does not already exist). |
114 | # | |
115 | # Note: when run in daemon mode, this directory should be specified | |
116 | # as an absolute path name (eg. /home/foo/denyhosts/data) | |
6b557d34 | 117 | # |
118 | WORK_DIR = /var/lib/DenyHosts | |
cb64b9ac | 119 | # |
120 | ####################################################################### | |
121 | ||
6b557d34 | 122 | ####################################################################### |
123 | # | |
124 | # SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS | |
125 | # | |
126 | # SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO | |
127 | # If set to YES, if a suspicious login attempt results from an allowed-host | |
128 | # then it is considered suspicious. If this is NO, then suspicious logins | |
129 | # from allowed-hosts will not be reported. All suspicious logins from | |
130 | # ip addresses that are not in allowed-hosts will always be reported. | |
131 | # | |
132 | SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES | |
133 | ###################################################################### | |
134 | ||
135 | ###################################################################### | |
136 | # | |
137 | # HOSTNAME_LOOKUP | |
138 | # | |
139 | # HOSTNAME_LOOKUP=YES|NO | |
140 | # If set to YES, for each IP address that is reported by Denyhosts, | |
141 | # the corresponding hostname will be looked up and reported as well | |
142 | # (if available). | |
143 | # | |
144 | HOSTNAME_LOOKUP=YES | |
0dd10d1d | 145 | # |
6b557d34 | 146 | ###################################################################### |
cb64b9ac | 147 | |
148 | ||
6b557d34 | 149 | ###################################################################### |
150 | # | |
151 | # LOCK_FILE | |
152 | # | |
153 | # LOCK_FILE=/path/denyhosts | |
154 | # If this file exists when DenyHosts is run, then DenyHosts will exit | |
155 | # immediately. Otherwise, this file will be created upon invocation | |
156 | # and deleted upon exit. This ensures that only one instance is | |
157 | # running at a time. | |
158 | # | |
159 | # Redhat/Fedora: | |
160 | LOCK_FILE = /var/lock/subsys/denyhosts | |
161 | # | |
0dd10d1d MB |
162 | # Debian |
163 | #LOCK_FILE = /var/run/denyhosts.pid | |
164 | # | |
165 | # Misc | |
6b557d34 | 166 | #LOCK_FILE = /tmp/denyhosts.lock |
0dd10d1d | 167 | # |
6b557d34 | 168 | ###################################################################### |
169 | ||
170 | ||
171 | ############ THESE SETTINGS ARE OPTIONAL ############ | |
cb64b9ac | 172 | |
173 | ||
174 | ####################################################################### | |
175 | # | |
176 | # ADMIN_EMAIL: if you would like to receive emails regarding newly | |
177 | # restricted hosts and suspicious logins, set this address to | |
178 | # match your email address. If you do not want to receive these reports | |
179 | # leave this field blank (or run with the --noemail option) | |
180 | # | |
181 | ADMIN_EMAIL = root@localhost | |
182 | # | |
183 | ####################################################################### | |
184 | ||
185 | ####################################################################### | |
186 | # | |
187 | SMTP_HOST = localhost | |
188 | SMTP_PORT = 25 | |
0dd10d1d | 189 | SMTP_FROM = DenyHosts <nobody@localhost> |
cb64b9ac | 190 | SMTP_SUBJECT = DenyHosts Report |
0dd10d1d MB |
191 | #SMTP_USERNAME=foo |
192 | #SMTP_PASSWORD=bar | |
cb64b9ac | 193 | # |
194 | ####################################################################### | |
195 | ||
0dd10d1d MB |
196 | ###################################################################### |
197 | # | |
198 | # ALLOWED_HOSTS_HOSTNAME_LOOKUP | |
199 | # | |
200 | # ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO | |
201 | # If set to YES, for each entry in the WORK_DIR/allowed-hosts file, | |
202 | # the hostname will be looked up. If your versions of tcp_wrappers | |
203 | # and sshd sometimes log hostnames in addition to ip addresses | |
204 | # then you may wish to specify this option. | |
205 | # | |
206 | #ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO | |
207 | # | |
208 | ###################################################################### | |
209 | ||
210 | ###################################################################### | |
211 | # | |
212 | # AGE_RESET_VALID: Specifies the period of time between failed login | |
213 | # attempts that, when exceeded will result in the failed count for | |
214 | # this host to be reset to 0. This value applies to login attempts | |
215 | # to all valid users (those within /etc/passwd) with the | |
216 | # exception of root. If not defined, this count will never | |
217 | # be reset. | |
218 | # | |
219 | # See the comments in the PURGE_DENY section (above) | |
220 | # for details on specifying this value or for complete details | |
221 | # refer to: http://denyhosts.sourceforge.net/faq.html#timespec | |
222 | # | |
223 | AGE_RESET_VALID=5d | |
224 | # | |
225 | ###################################################################### | |
226 | ||
227 | ###################################################################### | |
228 | # | |
229 | # AGE_RESET_ROOT: Specifies the period of time between failed login | |
230 | # attempts that, when exceeded will result in the failed count for | |
231 | # this host to be reset to 0. This value applies to all login | |
232 | # attempts to the "root" user account. If not defined, | |
233 | # this count will never be reset. | |
234 | # | |
235 | # See the comments in the PURGE_DENY section (above) | |
236 | # for details on specifying this value or for complete details | |
237 | # refer to: http://denyhosts.sourceforge.net/faq.html#timespec | |
238 | # | |
239 | AGE_RESET_ROOT=25d | |
240 | # | |
241 | ###################################################################### | |
242 | ||
243 | ###################################################################### | |
244 | # | |
245 | # AGE_RESET_INVALID: Specifies the period of time between failed login | |
246 | # attempts that, when exceeded will result in the failed count for | |
247 | # this host to be reset to 0. This value applies to login attempts | |
248 | # made to any invalid username (those that do not appear | |
249 | # in /etc/passwd). If not defined, count will never be reset. | |
250 | # | |
251 | # See the comments in the PURGE_DENY section (above) | |
252 | # for details on specifying this value or for complete details | |
253 | # refer to: http://denyhosts.sourceforge.net/faq.html#timespec | |
254 | # | |
255 | AGE_RESET_INVALID=10d | |
256 | # | |
257 | ###################################################################### | |
258 | ||
259 | ###################################################################### | |
260 | # | |
261 | # PLUGIN_DENY: If set, this value should point to an executable | |
262 | # program that will be invoked when a host is added to the | |
263 | # HOSTS_DENY file. This executable will be passed the host | |
264 | # that will be added as it's only argument. | |
265 | # | |
266 | #PLUGIN_DENY=/usr/bin/true | |
267 | # | |
268 | ###################################################################### | |
269 | ||
270 | ||
271 | ###################################################################### | |
272 | # | |
273 | # PLUGIN_PURGE: If set, this value should point to an executable | |
274 | # program that will be invoked when a host is removed from the | |
275 | # HOSTS_DENY file. This executable will be passed the host | |
276 | # that is to be purged as it's only argument. | |
277 | # | |
278 | #PLUGIN_PURGE=/usr/bin/true | |
279 | # | |
280 | ###################################################################### | |
281 | ||
282 | ||
283 | ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ########## | |
6b557d34 | 284 | |
285 | ||
286 | ####################################################################### | |
287 | # | |
288 | # DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag) | |
289 | # this is the logfile that DenyHosts uses to report it's status. | |
290 | # To disable logging, leave blank. (default is: /var/log/denyhosts) | |
291 | # | |
292 | DAEMON_LOG = /var/log/denyhosts | |
293 | # | |
294 | # disable logging: | |
295 | #DAEMON_LOG = | |
296 | # | |
297 | ###################################################################### | |
298 | ||
0dd10d1d MB |
299 | ####################################################################### |
300 | # | |
301 | # DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode | |
302 | # (--daemon flag) this specifies the timestamp format of | |
303 | # the DAEMON_LOG messages (default is the ISO8061 format: | |
304 | # ie. 2005-07-22 10:38:01,745) | |
305 | # | |
306 | # for possible values for this parameter refer to: man strftime | |
307 | # | |
308 | # Jan 1 13:05:59 | |
309 | #DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S | |
310 | # | |
311 | # Jan 1 01:05:59 | |
312 | #DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S | |
313 | # | |
314 | ###################################################################### | |
315 | ||
6b557d34 | 316 | ####################################################################### |
317 | # | |
318 | # DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag) | |
319 | # this is the amount of time DenyHosts will sleep between polling | |
0dd10d1d MB |
320 | # the SECURE_LOG. See the comments in the PURGE_DENY section (above) |
321 | # for details on specifying this value or for complete details | |
322 | # refer to: http://denyhosts.sourceforge.net/faq.html#timespec | |
323 | # | |
6b557d34 | 324 | # |
325 | DAEMON_SLEEP = 30 | |
326 | # | |
327 | ####################################################################### | |
328 | ||
329 | ####################################################################### | |
330 | # | |
0dd10d1d | 331 | # DAEMON_PURGE: How often should DenyHosts, when run in daemon mode, |
6b557d34 | 332 | # run the purge mechanism to expire old entries in HOSTS_DENY |
6b557d34 | 333 | # This has no effect if PURGE_DENY is blank. |
334 | # | |
335 | DAEMON_PURGE = 60 | |
336 | # | |
337 | ####################################################################### | |
338 |