[packages/DenyHosts.git] / DenyHosts.cfg

       ############ THESE SETTINGS ARE REQUIRED ############

########################################################################
#
# SECURE_LOG: the log file that contains sshd logging info
# if you are not sure, grep "sshd:" /var/log/*
#
# The file to process can be overridden with the --file command line
# argument
#
# Redhat or Fedora Core:
SECURE_LOG = /var/log/secure
#
# Mandrake, FreeBSD or OpenBSD: 
#SECURE_LOG = /var/log/auth.log
#
# SuSE:
#SECURE_LOG = /var/log/messages
#
########################################################################

########################################################################
# HOSTS_DENY: the file which contains restricted host access information
#
# Most operating systems:
HOSTS_DENY = /etc/tcpd/hosts.deny
#
# Some BSD (FreeBSD) Unixes:
#HOSTS_DENY = /etc/hosts.allow
#
# Another possibility (also see the next option):
#HOSTS_DENY = /etc/hosts.evil
#######################################################################


########################################################################
# PURGE_DENY: removed HOSTS_DENY entries that are older than this time
#             when DenyHosts is invoked with the --purge flag
#
#      format is: i[dhwmy]
#      Where 'i' is an integer (eg. 7) 
#            'm' = minutes
#            'h' = hours
#            'd' = days
#            'w' = weeks
#            'y' = years
#
# never purge:
PURGE_DENY = 
#
# purge entries older than 1 week
#PURGE_DENY = 1w
#
# purge entries older than 5 days
#PURGE_DENY = 5d
#######################################################################


#######################################################################
# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
# 
# man 5 host_access for details
#
# eg.   sshd: 127.0.0.1  # will block sshd logins from 127.0.0.1
#
# To block all services for the offending host:
#BLOCK_SERVICE = ALL
# To block only sshd:
BLOCK_SERVICE  = sshd
# To only record the offending host and nothing else (if using
# an auxilary file to list the hosts).  Refer to: 
# http://denyhosts.sourceforge.net/faq.html#aux
#BLOCK_SERVICE =    
#
#######################################################################


#######################################################################
#
# DENY_THRESHOLD_INVALID: block each host after the number of failed login 
# attempts has exceeded this value.  This value applies to invalid
# user login attempts (eg. non-existent user accounts)
#
DENY_THRESHOLD_INVALID = 3
#
#######################################################################

#######################################################################
#
# DENY_THRESHOLD_VALID: block each host after the number of failed 
# login attempts has exceeded this value.  This value applies to valid
# user login attempts (eg. user accounts that exist in /etc/passwd) except
# for the "root" user
#
DENY_THRESHOLD_VALID = 10
#
#######################################################################

#######################################################################
#
# DENY_THRESHOLD_ROOT: block each host after the number of failed 
# login attempts has exceeded this value.  This value applies to 
# "root" user login attempts only.
#
DENY_THRESHOLD_ROOT = 1
#
#######################################################################


#######################################################################
#
# WORK_DIR: the path that DenyHosts will use for writing data to
# (it will be created if it does not already exist).  
#
# Note: when run in daemon mode, this directory should be specified
# as an absolute path name (eg. /home/foo/denyhosts/data)
#
WORK_DIR = /var/lib/DenyHosts
#
#######################################################################

#######################################################################
#
# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS
#
# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO
# If set to YES, if a suspicious login attempt results from an allowed-host
# then it is considered suspicious.  If this is NO, then suspicious logins 
# from allowed-hosts will not be reported.  All suspicious logins from 
# ip addresses that are not in allowed-hosts will always be reported.
#
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
######################################################################

######################################################################
#
# HOSTNAME_LOOKUP
#
# HOSTNAME_LOOKUP=YES|NO
# If set to YES, for each IP address that is reported by Denyhosts,
# the corresponding hostname will be looked up and reported as well
# (if available).
#
HOSTNAME_LOOKUP=YES
#
######################################################################


######################################################################
#
# LOCK_FILE
#
# LOCK_FILE=/path/denyhosts
# If this file exists when DenyHosts is run, then DenyHosts will exit
# immediately.  Otherwise, this file will be created upon invocation
# and deleted upon exit.  This ensures that only one instance is
# running at a time.
#
# Redhat/Fedora:
LOCK_FILE = /var/lock/subsys/denyhosts
#
# Debian
#LOCK_FILE = /var/run/denyhosts.pid
#
# Misc
#LOCK_FILE = /tmp/denyhosts.lock
#
######################################################################


       ############ THESE SETTINGS ARE OPTIONAL ############


#######################################################################
#
# ADMIN_EMAIL: if you would like to receive emails regarding newly
# restricted hosts and suspicious logins, set this address to 
# match your email address.  If you do not want to receive these reports
# leave this field blank (or run with the --noemail option)
#
ADMIN_EMAIL = root@localhost
#
#######################################################################

#######################################################################
#
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report
#SMTP_USERNAME=foo
#SMTP_PASSWORD=bar
#
#######################################################################

######################################################################
#
# ALLOWED_HOSTS_HOSTNAME_LOOKUP
#
# ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO
# If set to YES, for each entry in the WORK_DIR/allowed-hosts file,
# the hostname will be looked up.  If your versions of tcp_wrappers
# and sshd sometimes log hostnames in addition to ip addresses
# then you may wish to specify this option.
# 
#ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
#
######################################################################

###################################################################### 
# 
# AGE_RESET_VALID: Specifies the period of time between failed login
# attempts that, when exceeded will result in the failed count for 
# this host to be reset to 0.  This value applies to login attempts 
# to all valid users (those within /etc/passwd) with the 
# exception of root.  If not defined, this count will never
# be reset.
#
# See the comments in the PURGE_DENY section (above) 
# for details on specifying this value or for complete details 
# refer to:  http://denyhosts.sourceforge.net/faq.html#timespec
#
AGE_RESET_VALID=5d
#
######################################################################

###################################################################### 
# 
# AGE_RESET_ROOT: Specifies the period of time between failed login
# attempts that, when exceeded will result in the failed count for 
# this host to be reset to 0.  This value applies to all login 
# attempts to the "root" user account.  If not defined,
# this count will never be reset.
#
# See the comments in the PURGE_DENY section (above) 
# for details on specifying this value or for complete details 
# refer to:  http://denyhosts.sourceforge.net/faq.html#timespec
#
AGE_RESET_ROOT=25d
#
######################################################################

###################################################################### 
# 
# AGE_RESET_INVALID: Specifies the period of time between failed login
# attempts that, when exceeded will result in the failed count for 
# this host to be reset to 0.  This value applies to login attempts 
# made to any invalid username (those that do not appear 
# in /etc/passwd).  If not defined, count will never be reset.
#
# See the comments in the PURGE_DENY section (above) 
# for details on specifying this value or for complete details 
# refer to:  http://denyhosts.sourceforge.net/faq.html#timespec
#
AGE_RESET_INVALID=10d
#
######################################################################

######################################################################
#
# PLUGIN_DENY: If set, this value should point to an executable
# program that will be invoked when a host is added to the
# HOSTS_DENY file.  This executable will be passed the host
# that will be added as it's only argument.
#
#PLUGIN_DENY=/usr/bin/true
#
######################################################################


######################################################################
#
# PLUGIN_PURGE: If set, this value should point to an executable
# program that will be invoked when a host is removed from the
# HOSTS_DENY file.  This executable will be passed the host
# that is to be purged as it's only argument.
#
#PLUGIN_PURGE=/usr/bin/true
#
######################################################################


   ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE  ##########


#######################################################################
#
# DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag)
# this is the logfile that DenyHosts uses to report it's status.
# To disable logging, leave blank.  (default is: /var/log/denyhosts)
#
DAEMON_LOG = /var/log/denyhosts
#
# disable logging:
#DAEMON_LOG = 
#
######################################################################

#######################################################################
# 
# DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode 
# (--daemon flag) this specifies the timestamp format of 
# the DAEMON_LOG messages (default is the ISO8061 format:
# ie. 2005-07-22 10:38:01,745)
#
# for possible values for this parameter refer to: man strftime
#
# Jan 1 13:05:59   
#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S
#
# Jan 1 01:05:59 
#DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S
#
###################################################################### 
 
#######################################################################
#
# DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag)
# this is the amount of time DenyHosts will sleep between polling
# the SECURE_LOG.  See the comments in the PURGE_DENY section (above)
# for details on specifying this value or for complete details
# refer to:    http://denyhosts.sourceforge.net/faq.html#timespec
# 
#
DAEMON_SLEEP = 30
#
#######################################################################

#######################################################################
#
# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode,
# run the purge mechanism to expire old entries in HOSTS_DENY
# This has no effect if PURGE_DENY is blank.
#
DAEMON_PURGE = 60
#
#######################################################################
Commit	Line	Data
6b557d34	1	############ THESE SETTINGS ARE REQUIRED ############
cb64b9ac	2
	3	########################################################################
	4	#
	5	# SECURE_LOG: the log file that contains sshd logging info
	6	# if you are not sure, grep "sshd:" /var/log/*
	7	#
	8	# The file to process can be overridden with the --file command line
	9	# argument
	10	#
0dd10d1d	11	# Redhat or Fedora Core:
cb64b9ac	12	SECURE_LOG = /var/log/secure
cb64b9ac	13	#
0dd10d1d	14	# Mandrake, FreeBSD or OpenBSD:
cb64b9ac	15	#SECURE_LOG = /var/log/auth.log
	16	#
	17	# SuSE:
	18	#SECURE_LOG = /var/log/messages
	19	#
	20	########################################################################
	21
	22	########################################################################
	23	# HOSTS_DENY: the file which contains restricted host access information
	24	#
6b557d34	25	# Most operating systems:
cb64b9ac	26	HOSTS_DENY = /etc/tcpd/hosts.deny
cb64b9ac	27	#
6b557d34	28	# Some BSD (FreeBSD) Unixes:
	29	#HOSTS_DENY = /etc/hosts.allow
	30	#
	31	# Another possibility (also see the next option):
	32	#HOSTS_DENY = /etc/hosts.evil
	33	#######################################################################
	34
	35
	36	########################################################################
	37	# PURGE_DENY: removed HOSTS_DENY entries that are older than this time
	38	# when DenyHosts is invoked with the --purge flag
	39	#
	40	# format is: i[dhwmy]
	41	# Where 'i' is an integer (eg. 7)
	42	# 'm' = minutes
	43	# 'h' = hours
	44	# 'd' = days
	45	# 'w' = weeks
	46	# 'y' = years
	47	#
	48	# never purge:
	49	PURGE_DENY =
	50	#
	51	# purge entries older than 1 week
	52	#PURGE_DENY = 1w
	53	#
	54	# purge entries older than 5 days
	55	#PURGE_DENY = 5d
cb64b9ac	56	#######################################################################
	57
	58
	59	#######################################################################
	60	# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
	61	#
	62	# man 5 host_access for details
	63	#
6b557d34	64	# eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1
cb64b9ac	65	#
	66	# To block all services for the offending host:
	67	#BLOCK_SERVICE = ALL
	68	# To block only sshd:
6b557d34	69	BLOCK_SERVICE = sshd
	70	# To only record the offending host and nothing else (if using
	71	# an auxilary file to list the hosts). Refer to:
	72	# http://denyhosts.sourceforge.net/faq.html#aux
	73	#BLOCK_SERVICE =
cb64b9ac	74	#
	75	#######################################################################
	76
6b557d34	77
cb64b9ac	78	#######################################################################
cb64b9ac	79	#
0dd10d1d MB	80	# DENY_THRESHOLD_INVALID: block each host after the number of failed login
	81	# attempts has exceeded this value. This value applies to invalid
	82	# user login attempts (eg. non-existent user accounts)
cb64b9ac	83	#
0dd10d1d	84	DENY_THRESHOLD_INVALID = 3
cb64b9ac	85	#
	86	#######################################################################
	87
0dd10d1d MB	88	#######################################################################
	89	#
	90	# DENY_THRESHOLD_VALID: block each host after the number of failed
	91	# login attempts has exceeded this value. This value applies to valid
	92	# user login attempts (eg. user accounts that exist in /etc/passwd) except
	93	# for the "root" user
	94	#
	95	DENY_THRESHOLD_VALID = 10
	96	#
	97	#######################################################################
	98
	99	#######################################################################
	100	#
	101	# DENY_THRESHOLD_ROOT: block each host after the number of failed
	102	# login attempts has exceeded this value. This value applies to
	103	# "root" user login attempts only.
	104	#
	105	DENY_THRESHOLD_ROOT = 1
	106	#
	107	#######################################################################
	108
	109
cb64b9ac	110	#######################################################################
	111	#
	112	# WORK_DIR: the path that DenyHosts will use for writing data to
0dd10d1d MB	113	# (it will be created if it does not already exist).
	114	#
	115	# Note: when run in daemon mode, this directory should be specified
	116	# as an absolute path name (eg. /home/foo/denyhosts/data)
6b557d34	117	#
6b557d34	118	WORK_DIR = /var/lib/DenyHosts
cb64b9ac	119	#
	120	#######################################################################
	121
6b557d34	122	#######################################################################
	123	#
	124	# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS
	125	#
	126	# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES\|NO
	127	# If set to YES, if a suspicious login attempt results from an allowed-host
	128	# then it is considered suspicious. If this is NO, then suspicious logins
	129	# from allowed-hosts will not be reported. All suspicious logins from
	130	# ip addresses that are not in allowed-hosts will always be reported.
	131	#
	132	SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
	133	######################################################################
	134
	135	######################################################################
	136	#
	137	# HOSTNAME_LOOKUP
	138	#
	139	# HOSTNAME_LOOKUP=YES\|NO
	140	# If set to YES, for each IP address that is reported by Denyhosts,
	141	# the corresponding hostname will be looked up and reported as well
	142	# (if available).
	143	#
	144	HOSTNAME_LOOKUP=YES
0dd10d1d	145	#
6b557d34	146	######################################################################
cb64b9ac	147
cb64b9ac	148
6b557d34	149	######################################################################
	150	#
	151	# LOCK_FILE
	152	#
	153	# LOCK_FILE=/path/denyhosts
	154	# If this file exists when DenyHosts is run, then DenyHosts will exit
	155	# immediately. Otherwise, this file will be created upon invocation
	156	# and deleted upon exit. This ensures that only one instance is
	157	# running at a time.
	158	#
	159	# Redhat/Fedora:
	160	LOCK_FILE = /var/lock/subsys/denyhosts
	161	#
0dd10d1d MB	162	# Debian
	163	#LOCK_FILE = /var/run/denyhosts.pid
	164	#
	165	# Misc
6b557d34	166	#LOCK_FILE = /tmp/denyhosts.lock
0dd10d1d	167	#
6b557d34	168	######################################################################
	169
	170
	171	############ THESE SETTINGS ARE OPTIONAL ############
cb64b9ac	172
	173
	174	#######################################################################
	175	#
	176	# ADMIN_EMAIL: if you would like to receive emails regarding newly
	177	# restricted hosts and suspicious logins, set this address to
	178	# match your email address. If you do not want to receive these reports
	179	# leave this field blank (or run with the --noemail option)
	180	#
	181	ADMIN_EMAIL = root@localhost
	182	#
	183	#######################################################################
	184
	185	#######################################################################
	186	#
	187	SMTP_HOST = localhost
	188	SMTP_PORT = 25
0dd10d1d	189	SMTP_FROM = DenyHosts <nobody@localhost>
cb64b9ac	190	SMTP_SUBJECT = DenyHosts Report
0dd10d1d MB	191	#SMTP_USERNAME=foo
0dd10d1d MB	192	#SMTP_PASSWORD=bar
cb64b9ac	193	#
	194	#######################################################################
	195
0dd10d1d MB	196	######################################################################
	197	#
	198	# ALLOWED_HOSTS_HOSTNAME_LOOKUP
	199	#
	200	# ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES\|NO
	201	# If set to YES, for each entry in the WORK_DIR/allowed-hosts file,
	202	# the hostname will be looked up. If your versions of tcp_wrappers
	203	# and sshd sometimes log hostnames in addition to ip addresses
	204	# then you may wish to specify this option.
	205	#
	206	#ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
	207	#
	208	######################################################################
	209
	210	######################################################################
	211	#
	212	# AGE_RESET_VALID: Specifies the period of time between failed login
	213	# attempts that, when exceeded will result in the failed count for
	214	# this host to be reset to 0. This value applies to login attempts
	215	# to all valid users (those within /etc/passwd) with the
	216	# exception of root. If not defined, this count will never
	217	# be reset.
	218	#
	219	# See the comments in the PURGE_DENY section (above)
	220	# for details on specifying this value or for complete details
	221	# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
	222	#
	223	AGE_RESET_VALID=5d
	224	#
	225	######################################################################
	226
	227	######################################################################
	228	#
	229	# AGE_RESET_ROOT: Specifies the period of time between failed login
	230	# attempts that, when exceeded will result in the failed count for
	231	# this host to be reset to 0. This value applies to all login
	232	# attempts to the "root" user account. If not defined,
	233	# this count will never be reset.
	234	#
	235	# See the comments in the PURGE_DENY section (above)
	236	# for details on specifying this value or for complete details
	237	# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
	238	#
	239	AGE_RESET_ROOT=25d
	240	#
	241	######################################################################
	242
	243	######################################################################
	244	#
	245	# AGE_RESET_INVALID: Specifies the period of time between failed login
	246	# attempts that, when exceeded will result in the failed count for
	247	# this host to be reset to 0. This value applies to login attempts
	248	# made to any invalid username (those that do not appear
	249	# in /etc/passwd). If not defined, count will never be reset.
	250	#
	251	# See the comments in the PURGE_DENY section (above)
	252	# for details on specifying this value or for complete details
	253	# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
	254	#
	255	AGE_RESET_INVALID=10d
	256	#
	257	######################################################################
	258
	259	######################################################################
260	#
261	# PLUGIN_DENY: If set, this value should point to an executable
262	# program that will be invoked when a host is added to the
263	# HOSTS_DENY file. This executable will be passed the host
264	# that will be added as it's only argument.
265	#
266	#PLUGIN_DENY=/usr/bin/true
267	#
268	######################################################################
269
270
271	######################################################################
272	#
273	# PLUGIN_PURGE: If set, this value should point to an executable
274	# program that will be invoked when a host is removed from the
275	# HOSTS_DENY file. This executable will be passed the host
276	# that is to be purged as it's only argument.
277	#
278	#PLUGIN_PURGE=/usr/bin/true
279	#
280	######################################################################
281
282
283	######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########
6b557d34	284
	285
	286	#######################################################################
	287	#
	288	# DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag)
	289	# this is the logfile that DenyHosts uses to report it's status.
	290	# To disable logging, leave blank. (default is: /var/log/denyhosts)
	291	#
	292	DAEMON_LOG = /var/log/denyhosts
	293	#
	294	# disable logging:
	295	#DAEMON_LOG =
	296	#
	297	######################################################################
	298
0dd10d1d MB	299	#######################################################################
	300	#
	301	# DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode
	302	# (--daemon flag) this specifies the timestamp format of
	303	# the DAEMON_LOG messages (default is the ISO8061 format:
	304	# ie. 2005-07-22 10:38:01,745)
	305	#
	306	# for possible values for this parameter refer to: man strftime
	307	#
	308	# Jan 1 13:05:59
	309	#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S
	310	#
	311	# Jan 1 01:05:59
	312	#DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S
	313	#
	314	######################################################################
	315
6b557d34	316	#######################################################################
	317	#
	318	# DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag)
	319	# this is the amount of time DenyHosts will sleep between polling
0dd10d1d MB	320	# the SECURE_LOG. See the comments in the PURGE_DENY section (above)
	321	# for details on specifying this value or for complete details
	322	# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
	323	#
6b557d34	324	#
	325	DAEMON_SLEEP = 30
	326	#
	327	#######################################################################
	328
	329	#######################################################################
	330	#
0dd10d1d	331	# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode,
6b557d34	332	# run the purge mechanism to expire old entries in HOSTS_DENY
6b557d34	333	# This has no effect if PURGE_DENY is blank.
	334	#
	335	DAEMON_PURGE = 60
	336	#
	337	#######################################################################
	338