]> git.pld-linux.org Git - packages/DenyHosts.git/blame - DenyHosts.cfg
projects / packages / DenyHosts.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- updated to 2.3
[packages/DenyHosts.git] / DenyHosts.cfg
CommitLineData
6b557d34 1 ############ THESE SETTINGS ARE REQUIRED ############
cb64b9ac 2
3########################################################################
4#
5# SECURE_LOG: the log file that contains sshd logging info
6# if you are not sure, grep "sshd:" /var/log/*
7#
8# The file to process can be overridden with the --file command line
9# argument
10#
0dd10d1d 11# Redhat or Fedora Core:
cb64b9ac 12SECURE_LOG = /var/log/secure
13#
0dd10d1d 14# Mandrake, FreeBSD or OpenBSD:
cb64b9ac 15#SECURE_LOG = /var/log/auth.log
16#
17# SuSE:
18#SECURE_LOG = /var/log/messages
19#
20########################################################################
21
22########################################################################
23# HOSTS_DENY: the file which contains restricted host access information
24#
6b557d34 25# Most operating systems:
cb64b9ac 26HOSTS_DENY = /etc/tcpd/hosts.deny
27#
6b557d34 28# Some BSD (FreeBSD) Unixes:
29#HOSTS_DENY = /etc/hosts.allow
30#
31# Another possibility (also see the next option):
32#HOSTS_DENY = /etc/hosts.evil
33#######################################################################
34
6b557d34 35########################################################################
36# PURGE_DENY: removed HOSTS_DENY entries that are older than this time
37# when DenyHosts is invoked with the --purge flag
38#
39# format is: i[dhwmy]
40# Where 'i' is an integer (eg. 7)
41# 'm' = minutes
42# 'h' = hours
43# 'd' = days
44# 'w' = weeks
45# 'y' = years
46#
47# never purge:
48PURGE_DENY =
49#
50# purge entries older than 1 week
51#PURGE_DENY = 1w
52#
53# purge entries older than 5 days
54#PURGE_DENY = 5d
cb64b9ac 55#######################################################################
56
cb64b9ac 57#######################################################################
58# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
59#
400edb92 60# man 5 hosts_access for details
cb64b9ac 61#
6b557d34 62# eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1
cb64b9ac 63#
64# To block all services for the offending host:
65#BLOCK_SERVICE = ALL
66# To block only sshd:
6b557d34 67BLOCK_SERVICE = sshd
68# To only record the offending host and nothing else (if using
69# an auxilary file to list the hosts). Refer to:
70# http://denyhosts.sourceforge.net/faq.html#aux
71#BLOCK_SERVICE =
cb64b9ac 72#
73#######################################################################
74
75#######################################################################
76#
0dd10d1d
MB		 77# DENY_THRESHOLD_INVALID: block each host after the number of failed login
78# attempts has exceeded this value. This value applies to invalid
79# user login attempts (eg. non-existent user accounts)
cb64b9ac 80#
0dd10d1d 81DENY_THRESHOLD_INVALID = 3
cb64b9ac 82#
83#######################################################################
84
0dd10d1d
MB		 85#######################################################################
86#
87# DENY_THRESHOLD_VALID: block each host after the number of failed
88# login attempts has exceeded this value. This value applies to valid
89# user login attempts (eg. user accounts that exist in /etc/passwd) except
90# for the "root" user
91#
92DENY_THRESHOLD_VALID = 10
93#
94#######################################################################
95
96#######################################################################
97#
98# DENY_THRESHOLD_ROOT: block each host after the number of failed
99# login attempts has exceeded this value. This value applies to
100# "root" user login attempts only.
101#
102DENY_THRESHOLD_ROOT = 1
103#
104#######################################################################
105
c3be9809
RT		 106#######################################################################
107#
108# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed
109# login attempts has exceeded this value. This value applies to
110# usernames that appear in the WORK_DIR/restricted-usernames file only.
111#
112DENY_THRESHOLD_RESTRICTED = 1
113#
114#######################################################################
0dd10d1d 115
cb64b9ac 116#######################################################################
117#
118# WORK_DIR: the path that DenyHosts will use for writing data to
0dd10d1d
MB		 119# (it will be created if it does not already exist).
120#
c3be9809
RT		 121# Note: it is recommended that you use an absolute pathname
122# for this value (eg. /home/foo/denyhosts/data)
6b557d34 123#
124WORK_DIR = /var/lib/DenyHosts
cb64b9ac 125#
126#######################################################################
127
6b557d34 128#######################################################################
129#
130# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS
131#
132# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO
133# If set to YES, if a suspicious login attempt results from an allowed-host
134# then it is considered suspicious. If this is NO, then suspicious logins
135# from allowed-hosts will not be reported. All suspicious logins from
136# ip addresses that are not in allowed-hosts will always be reported.
137#
138SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
139######################################################################
140
141######################################################################
142#
143# HOSTNAME_LOOKUP
144#
145# HOSTNAME_LOOKUP=YES|NO
146# If set to YES, for each IP address that is reported by Denyhosts,
147# the corresponding hostname will be looked up and reported as well
148# (if available).
149#
150HOSTNAME_LOOKUP=YES
0dd10d1d 151#
6b557d34 152######################################################################
cb64b9ac 153
6b557d34 154######################################################################
155#
156# LOCK_FILE
157#
158# LOCK_FILE=/path/denyhosts
159# If this file exists when DenyHosts is run, then DenyHosts will exit
160# immediately. Otherwise, this file will be created upon invocation
161# and deleted upon exit. This ensures that only one instance is
162# running at a time.
163#
164# Redhat/Fedora:
165LOCK_FILE = /var/lock/subsys/denyhosts
166#
0dd10d1d
MB		 167# Debian
168#LOCK_FILE = /var/run/denyhosts.pid
169#
170# Misc
6b557d34 171#LOCK_FILE = /tmp/denyhosts.lock
0dd10d1d 172#
6b557d34 173######################################################################
174
175
176 ############ THESE SETTINGS ARE OPTIONAL ############
cb64b9ac 177
178
179#######################################################################
180#
181# ADMIN_EMAIL: if you would like to receive emails regarding newly
182# restricted hosts and suspicious logins, set this address to
183# match your email address. If you do not want to receive these reports
184# leave this field blank (or run with the --noemail option)
185#
186ADMIN_EMAIL = root@localhost
187#
188#######################################################################
189
190#######################################################################
191#
358bb9bc
RT		 192# SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email
193# reports (see ADMIN_EMAIL) then these settings specify the
194# email server address (SMTP_HOST) and the server port (SMTP_PORT)
195#
cb64b9ac 196SMTP_HOST = localhost
197SMTP_PORT = 25
358bb9bc
RT		 198#
199#######################################################################
200
201#######################################################################
202#
203# SMTP_USERNAME and SMTP_PASSWORD: set these parameters if your
204# smtp email server requires authentication
205#
0dd10d1d
MB		 206#SMTP_USERNAME=foo
207#SMTP_PASSWORD=bar
cb64b9ac 208#
209#######################################################################
210
358bb9bc
RT		 211#######################################################################
212#
213# SMTP_FROM: you can specify the "From:" address in messages sent
214# from DenyHosts when it reports thwarted abuse attempts
215#
216SMTP_FROM = DenyHosts <nobody@localhost>
217#
218#######################################################################
219
220#######################################################################
221#
222# SMTP_SUBJECT: you can specify the "Subject:" of messages sent
223# by DenyHosts when it reports thwarted abuse attempts
224SMTP_SUBJECT = DenyHosts Report
225#
226######################################################################
227
228######################################################################
229#
230# SMTP_DATE_FORMAT: specifies the format used for the "Date:" header
231# when sending email messages.
232#
233# for possible values for this parameter refer to: man strftime
234#
235# the default:
236#
237#SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z
238#
239######################################################################
240
0dd10d1d
MB		 241######################################################################
242#
243# ALLOWED_HOSTS_HOSTNAME_LOOKUP
244#
245# ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO
246# If set to YES, for each entry in the WORK_DIR/allowed-hosts file,
247# the hostname will be looked up. If your versions of tcp_wrappers
248# and sshd sometimes log hostnames in addition to ip addresses
249# then you may wish to specify this option.
250#
251#ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
252#
253######################################################################
254
255######################################################################
256#
257# AGE_RESET_VALID: Specifies the period of time between failed login
258# attempts that, when exceeded will result in the failed count for
259# this host to be reset to 0. This value applies to login attempts
260# to all valid users (those within /etc/passwd) with the
261# exception of root. If not defined, this count will never
262# be reset.
263#
264# See the comments in the PURGE_DENY section (above)
265# for details on specifying this value or for complete details
266# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
267#
268AGE_RESET_VALID=5d
269#
270######################################################################
271
272######################################################################
273#
274# AGE_RESET_ROOT: Specifies the period of time between failed login
275# attempts that, when exceeded will result in the failed count for
276# this host to be reset to 0. This value applies to all login
277# attempts to the "root" user account. If not defined,
278# this count will never be reset.
279#
280# See the comments in the PURGE_DENY section (above)
281# for details on specifying this value or for complete details
282# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
283#
284AGE_RESET_ROOT=25d
285#
286######################################################################
287
c3be9809
RT		 288######################################################################
289#
290# AGE_RESET_RESTRICTED: Specifies the period of time between failed login
291# attempts that, when exceeded will result in the failed count for
292# this host to be reset to 0. This value applies to all login
293# attempts to entries found in the WORK_DIR/restricted-usernames file.
294# If not defined, the count will never be reset.
295#
296# See the comments in the PURGE_DENY section (above)
297# for details on specifying this value or for complete details
298# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
299#
300AGE_RESET_RESTRICTED=25d
301#
302######################################################################
303
0dd10d1d
MB		 304######################################################################
305#
306# AGE_RESET_INVALID: Specifies the period of time between failed login
307# attempts that, when exceeded will result in the failed count for
308# this host to be reset to 0. This value applies to login attempts
309# made to any invalid username (those that do not appear
310# in /etc/passwd). If not defined, count will never be reset.
311#
312# See the comments in the PURGE_DENY section (above)
313# for details on specifying this value or for complete details
314# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
315#
316AGE_RESET_INVALID=10d
317#
318######################################################################
319
c3be9809
RT		 320######################################################################
321#
322# RESET_ON_SUCCESS: If this parameter is set to "yes" then the
323# failed count for the respective ip address will be reset to 0
324# if the login is successful.
325#
326# The default is RESET_ON_SUCCESS = no
327#
328#RESET_ON_SUCCESS = yes
329#
330#####################################################################
331
0dd10d1d
MB		 332######################################################################
333#
334# PLUGIN_DENY: If set, this value should point to an executable
335# program that will be invoked when a host is added to the
336# HOSTS_DENY file. This executable will be passed the host
337# that will be added as it's only argument.
338#
339#PLUGIN_DENY=/usr/bin/true
340#
341######################################################################
342
343
344######################################################################
345#
346# PLUGIN_PURGE: If set, this value should point to an executable
347# program that will be invoked when a host is removed from the
348# HOSTS_DENY file. This executable will be passed the host
349# that is to be purged as it's only argument.
350#
351#PLUGIN_PURGE=/usr/bin/true
352#
353######################################################################
354
400edb92
MB		 355######################################################################
356#
357# USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain
358# a regular expression that can be used to identify additional
359# hackers for your particular ssh configuration. This functionality
360# extends the built-in regular expressions that DenyHosts uses.
361# This parameter can be specified multiple times.
362# See this faq entry for more details:
363# http://denyhosts.sf.net/faq.html#userdef_regex
364#
365#USERDEF_FAILED_ENTRY_REGEX=
366#
367#
368######################################################################
369
370
371
0dd10d1d
MB		 372
373 ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########
6b557d34 374
375
400edb92 376
6b557d34 377#######################################################################
378#
379# DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag)
380# this is the logfile that DenyHosts uses to report it's status.
381# To disable logging, leave blank. (default is: /var/log/denyhosts)
382#
383DAEMON_LOG = /var/log/denyhosts
384#
385# disable logging:
386#DAEMON_LOG =
387#
388######################################################################
389
0dd10d1d
MB		 390#######################################################################
391#
392# DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode
393# (--daemon flag) this specifies the timestamp format of
394# the DAEMON_LOG messages (default is the ISO8061 format:
395# ie. 2005-07-22 10:38:01,745)
396#
397# for possible values for this parameter refer to: man strftime
398#
399# Jan 1 13:05:59
400#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S
401#
402# Jan 1 01:05:59
403#DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S
404#
405######################################################################
400edb92
MB		 406
407#######################################################################
408#
409# DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode
410# (--daemon flag) this specifies the message format of each logged
411# entry. By default the following format is used:
412#
413# %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
414#
415# Where the "%(asctime)s" portion is expanded to the format
416# defined by DAEMON_LOG_TIME_FORMAT
417#
418# This string is passed to python's logging.Formatter contstuctor.
419# For details on the possible format types please refer to:
420# http://docs.python.org/lib/node357.html
421#
422# This is the default:
423#DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
424#
425#
426######################################################################
427
0dd10d1d 428
6b557d34 429#######################################################################
430#
431# DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag)
432# this is the amount of time DenyHosts will sleep between polling
0dd10d1d
MB		 433# the SECURE_LOG. See the comments in the PURGE_DENY section (above)
434# for details on specifying this value or for complete details
435# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
436#
6b557d34 437#
358bb9bc 438DAEMON_SLEEP = 30s
6b557d34 439#
440#######################################################################
441
442#######################################################################
443#
0dd10d1d 444# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode,
6b557d34 445# run the purge mechanism to expire old entries in HOSTS_DENY
6b557d34 446# This has no effect if PURGE_DENY is blank.
447#
448DAEMON_PURGE = 60
449#
450#######################################################################
451
400edb92
MB		 452
453 ######### THESE SETTINGS ARE SPECIFIC TO ##########
454 ######### DAEMON SYNCHRONIZATION ##########
455
456
457#######################################################################
458#
459# Synchronization mode allows the DenyHosts daemon the ability
460# to periodically send and receive denied host data such that
461# DenyHosts daemons worldwide can automatically inform one
462# another regarding banned hosts. This mode is disabled by
463# default, you must uncomment SYNC_SERVER to enable this mode.
464#
465# for more information, please refer to:
466# http:/denyhosts.sourceforge.net/faq.html#sync
467#
468#######################################################################
469
470
471#######################################################################
472#
473# SYNC_SERVER: The central server that communicates with DenyHost
474# daemons. Currently, denyhosts.net is the only available server
475# however, in the future, it may be possible for organizations to
476# install their own server for internal network synchronization
477#
478# To disable synchronization (the default), do nothing.
479#
480# To enable synchronization, you must uncomment the following line:
481#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
482#
483#######################################################################
484
485#######################################################################
486#
487# SYNC_INTERVAL: the interval of time to perform synchronizations if
488# SYNC_SERVER has been uncommented. The default is 1 hour.
489#
490#SYNC_INTERVAL = 1h
491#
492#######################################################################
493
494
495#######################################################################
496#
497# SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have
498# been denied? This option only applies if SYNC_SERVER has
499# been uncommented.
c3be9809 500# The default is SYNC_UPLOAD = yes
400edb92
MB		 501#
502#SYNC_UPLOAD = no
400edb92
MB		 503#SYNC_UPLOAD = yes
504#
505#######################################################################
506
507
508#######################################################################
509#
510# SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have
511# been denied by others? This option only applies if SYNC_SERVER has
512# been uncommented.
c3be9809 513# The default is SYNC_DOWNLOAD = yes
400edb92
MB		 514#
515#SYNC_DOWNLOAD = no
400edb92
MB		 516#SYNC_DOWNLOAD = yes
517#
518#######################################################################
519
520#######################################################################
521#
522# SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this paramter
523# filters the returned hosts to those that have been blocked this many
524# times by others. That is, if set to 1, then if a single DenyHosts
525# server has denied an ip address then you will receive the denied host.
c3be9809
RT		 526#
527# See also SYNC_DOWNLOAD_RESILIENCY
400edb92
MB		 528#
529#SYNC_DOWNLOAD_THRESHOLD = 10
530#
c3be9809 531# The default is SYNC_DOWNLOAD_THRESHOLD = 3
400edb92
MB		 532#SYNC_DOWNLOAD_THRESHOLD = 3
533#
534#######################################################################
535
c3be9809
RT		 536#######################################################################
537#
538# SYNC_DOWNLOAD_RESILIENCY: If SYNC_DOWNLOAD is enabled then the
539# value specified for this option limits the downloaded data
540# to this resiliency period or greater.
541#
542# Resiliency is defined as the timespan between a hackers first known
543# attack and it's most recent attack. Example:
544#
545# If the centralized denyhosts.net server records an attack at 2 PM
546# and then again at 5 PM, specifying a SYNC_DOWNLOAD_RESILIENCY = 4h
547# will not download this ip address.
548#
549# However, if the attacker is recorded again at 6:15 PM then the
550# ip address will be downloaded by your DenyHosts instance.
551#
552# This value is used in conjunction with the SYNC_DOWNLOAD_THRESHOLD
553# and only hosts that satisfy both values will be downloaded.
554# This value has no effect if SYNC_DOWNLOAD_THRESHOLD = 1
555#
556# The default is SYNC_DOWNLOAD_RESILIENCY = 5h (5 hours)
557#
558# Only obtain hackers that have been at it for 2 days or more:
559#SYNC_DOWNLOAD_RESILIENCY = 2d
560#
561# Only obtain hackers that have been at it for 5 hours or more:
562#SYNC_DOWNLOAD_RESILIENCY = 5h
563#
564#######################################################################
400edb92 565
Script to help thwart SSH server attacks
This page took 0.1553 seconds and 4 git commands to generate.