]> git.pld-linux.org Git - packages/DenyHosts.git/blame - DenyHosts.cfg
projects / packages / DenyHosts.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- updated to 2.5
[packages/DenyHosts.git] / DenyHosts.cfg
CommitLineData
6b557d34 1 ############ THESE SETTINGS ARE REQUIRED ############
cb64b9ac 2
3########################################################################
4#
5# SECURE_LOG: the log file that contains sshd logging info
6# if you are not sure, grep "sshd:" /var/log/*
7#
8# The file to process can be overridden with the --file command line
9# argument
10#
0dd10d1d 11# Redhat or Fedora Core:
cb64b9ac 12SECURE_LOG = /var/log/secure
13#
0dd10d1d 14# Mandrake, FreeBSD or OpenBSD:
cb64b9ac 15#SECURE_LOG = /var/log/auth.log
16#
17# SuSE:
18#SECURE_LOG = /var/log/messages
19#
55eeb5c2
RT		 20# Mac OS X (v10.4 or greater -
21# also refer to: http://www.denyhosts.net/faq.html#macos
22#SECURE_LOG = /private/var/log/asl.log
23#
24# Mac OS X (v10.3 or earlier):
25#SECURE_LOG=/private/var/log/system.log
26#
cb64b9ac 27########################################################################
28
29########################################################################
30# HOSTS_DENY: the file which contains restricted host access information
31#
6b557d34 32# Most operating systems:
cb64b9ac 33HOSTS_DENY = /etc/tcpd/hosts.deny
34#
6b557d34 35# Some BSD (FreeBSD) Unixes:
36#HOSTS_DENY = /etc/hosts.allow
37#
38# Another possibility (also see the next option):
39#HOSTS_DENY = /etc/hosts.evil
40#######################################################################
41
6b557d34 42########################################################################
43# PURGE_DENY: removed HOSTS_DENY entries that are older than this time
44# when DenyHosts is invoked with the --purge flag
45#
46# format is: i[dhwmy]
47# Where 'i' is an integer (eg. 7)
48# 'm' = minutes
49# 'h' = hours
50# 'd' = days
51# 'w' = weeks
52# 'y' = years
53#
54# never purge:
55PURGE_DENY =
56#
57# purge entries older than 1 week
58#PURGE_DENY = 1w
59#
60# purge entries older than 5 days
61#PURGE_DENY = 5d
cb64b9ac 62#######################################################################
63
55eeb5c2
RT		 64#######################################################################
65#
66# PURGE_THRESHOLD: defines the maximum times a host will be purged.
67# Once this value has been exceeded then this host will not be purged.
68# Setting this parameter to 0 (the default) disables this feature.
69#
70# default: a denied host can be purged/re-added indefinitely
71#PURGE_THRESHOLD = 0
72#
73# a denied host will be purged at most 2 times.
74#PURGE_THRESHOLD = 2
75#
76#######################################################################
77
cb64b9ac 78#######################################################################
79# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
80#
400edb92 81# man 5 hosts_access for details
cb64b9ac 82#
6b557d34 83# eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1
cb64b9ac 84#
85# To block all services for the offending host:
86#BLOCK_SERVICE = ALL
87# To block only sshd:
6b557d34 88BLOCK_SERVICE = sshd
89# To only record the offending host and nothing else (if using
90# an auxilary file to list the hosts). Refer to:
91# http://denyhosts.sourceforge.net/faq.html#aux
92#BLOCK_SERVICE =
cb64b9ac 93#
94#######################################################################
95
96#######################################################################
97#
0dd10d1d
MB		 98# DENY_THRESHOLD_INVALID: block each host after the number of failed login
99# attempts has exceeded this value. This value applies to invalid
100# user login attempts (eg. non-existent user accounts)
cb64b9ac 101#
0dd10d1d 102DENY_THRESHOLD_INVALID = 3
cb64b9ac 103#
104#######################################################################
105
0dd10d1d
MB		 106#######################################################################
107#
108# DENY_THRESHOLD_VALID: block each host after the number of failed
109# login attempts has exceeded this value. This value applies to valid
110# user login attempts (eg. user accounts that exist in /etc/passwd) except
111# for the "root" user
112#
113DENY_THRESHOLD_VALID = 10
114#
115#######################################################################
116
117#######################################################################
118#
119# DENY_THRESHOLD_ROOT: block each host after the number of failed
120# login attempts has exceeded this value. This value applies to
121# "root" user login attempts only.
122#
123DENY_THRESHOLD_ROOT = 1
124#
125#######################################################################
126
c3be9809
RT		 127#######################################################################
128#
129# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed
130# login attempts has exceeded this value. This value applies to
131# usernames that appear in the WORK_DIR/restricted-usernames file only.
132#
133DENY_THRESHOLD_RESTRICTED = 1
134#
135#######################################################################
0dd10d1d 136
cb64b9ac 137#######################################################################
138#
139# WORK_DIR: the path that DenyHosts will use for writing data to
0dd10d1d
MB		 140# (it will be created if it does not already exist).
141#
c3be9809
RT		 142# Note: it is recommended that you use an absolute pathname
143# for this value (eg. /home/foo/denyhosts/data)
6b557d34 144#
145WORK_DIR = /var/lib/DenyHosts
cb64b9ac 146#
147#######################################################################
148
6b557d34 149#######################################################################
150#
151# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS
152#
153# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO
154# If set to YES, if a suspicious login attempt results from an allowed-host
155# then it is considered suspicious. If this is NO, then suspicious logins
156# from allowed-hosts will not be reported. All suspicious logins from
157# ip addresses that are not in allowed-hosts will always be reported.
158#
159SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
160######################################################################
161
162######################################################################
163#
164# HOSTNAME_LOOKUP
165#
166# HOSTNAME_LOOKUP=YES|NO
167# If set to YES, for each IP address that is reported by Denyhosts,
168# the corresponding hostname will be looked up and reported as well
169# (if available).
170#
171HOSTNAME_LOOKUP=YES
0dd10d1d 172#
6b557d34 173######################################################################
cb64b9ac 174
6b557d34 175######################################################################
176#
177# LOCK_FILE
178#
179# LOCK_FILE=/path/denyhosts
180# If this file exists when DenyHosts is run, then DenyHosts will exit
181# immediately. Otherwise, this file will be created upon invocation
182# and deleted upon exit. This ensures that only one instance is
183# running at a time.
184#
185# Redhat/Fedora:
186LOCK_FILE = /var/lock/subsys/denyhosts
187#
0dd10d1d
MB		 188# Debian
189#LOCK_FILE = /var/run/denyhosts.pid
190#
191# Misc
6b557d34 192#LOCK_FILE = /tmp/denyhosts.lock
0dd10d1d 193#
6b557d34 194######################################################################
195
196
197 ############ THESE SETTINGS ARE OPTIONAL ############
cb64b9ac 198
199
200#######################################################################
201#
202# ADMIN_EMAIL: if you would like to receive emails regarding newly
203# restricted hosts and suspicious logins, set this address to
204# match your email address. If you do not want to receive these reports
205# leave this field blank (or run with the --noemail option)
206#
207ADMIN_EMAIL = root@localhost
208#
209#######################################################################
210
211#######################################################################
212#
358bb9bc
RT		 213# SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email
214# reports (see ADMIN_EMAIL) then these settings specify the
215# email server address (SMTP_HOST) and the server port (SMTP_PORT)
216#
cb64b9ac 217SMTP_HOST = localhost
218SMTP_PORT = 25
358bb9bc
RT		 219#
220#######################################################################
221
222#######################################################################
223#
224# SMTP_USERNAME and SMTP_PASSWORD: set these parameters if your
225# smtp email server requires authentication
226#
0dd10d1d
MB		 227#SMTP_USERNAME=foo
228#SMTP_PASSWORD=bar
cb64b9ac 229#
230#######################################################################
231
358bb9bc
RT		 232#######################################################################
233#
234# SMTP_FROM: you can specify the "From:" address in messages sent
235# from DenyHosts when it reports thwarted abuse attempts
236#
237SMTP_FROM = DenyHosts <nobody@localhost>
238#
239#######################################################################
240
241#######################################################################
242#
243# SMTP_SUBJECT: you can specify the "Subject:" of messages sent
244# by DenyHosts when it reports thwarted abuse attempts
245SMTP_SUBJECT = DenyHosts Report
246#
247######################################################################
248
249######################################################################
250#
251# SMTP_DATE_FORMAT: specifies the format used for the "Date:" header
252# when sending email messages.
253#
254# for possible values for this parameter refer to: man strftime
255#
256# the default:
257#
258#SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z
259#
260######################################################################
261
55eeb5c2
RT		 262######################################################################
263#
264# SYSLOG_REPORT
265#
266# SYSLOG_REPORT=YES|NO
267# If set to yes, when denied hosts are recorded the report data
268# will be sent to syslog (syslog must be present on your system).
269# The default is: NO
270#
271#SYSLOG_REPORT=NO
272#
273#SYSLOG_REPORT=YES
274#
275######################################################################
276
0dd10d1d
MB		 277######################################################################
278#
279# ALLOWED_HOSTS_HOSTNAME_LOOKUP
280#
281# ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO
282# If set to YES, for each entry in the WORK_DIR/allowed-hosts file,
283# the hostname will be looked up. If your versions of tcp_wrappers
284# and sshd sometimes log hostnames in addition to ip addresses
285# then you may wish to specify this option.
286#
287#ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
288#
289######################################################################
290
291######################################################################
292#
293# AGE_RESET_VALID: Specifies the period of time between failed login
294# attempts that, when exceeded will result in the failed count for
295# this host to be reset to 0. This value applies to login attempts
296# to all valid users (those within /etc/passwd) with the
297# exception of root. If not defined, this count will never
298# be reset.
299#
300# See the comments in the PURGE_DENY section (above)
301# for details on specifying this value or for complete details
302# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
303#
304AGE_RESET_VALID=5d
305#
306######################################################################
307
308######################################################################
309#
310# AGE_RESET_ROOT: Specifies the period of time between failed login
311# attempts that, when exceeded will result in the failed count for
312# this host to be reset to 0. This value applies to all login
313# attempts to the "root" user account. If not defined,
314# this count will never be reset.
315#
316# See the comments in the PURGE_DENY section (above)
317# for details on specifying this value or for complete details
318# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
319#
320AGE_RESET_ROOT=25d
321#
322######################################################################
323
c3be9809
RT		 324######################################################################
325#
326# AGE_RESET_RESTRICTED: Specifies the period of time between failed login
327# attempts that, when exceeded will result in the failed count for
328# this host to be reset to 0. This value applies to all login
329# attempts to entries found in the WORK_DIR/restricted-usernames file.
330# If not defined, the count will never be reset.
331#
332# See the comments in the PURGE_DENY section (above)
333# for details on specifying this value or for complete details
334# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
335#
336AGE_RESET_RESTRICTED=25d
337#
338######################################################################
339
0dd10d1d
MB		 340######################################################################
341#
342# AGE_RESET_INVALID: Specifies the period of time between failed login
343# attempts that, when exceeded will result in the failed count for
344# this host to be reset to 0. This value applies to login attempts
345# made to any invalid username (those that do not appear
346# in /etc/passwd). If not defined, count will never be reset.
347#
348# See the comments in the PURGE_DENY section (above)
349# for details on specifying this value or for complete details
350# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
351#
352AGE_RESET_INVALID=10d
353#
354######################################################################
355
c3be9809
RT		 356######################################################################
357#
358# RESET_ON_SUCCESS: If this parameter is set to "yes" then the
359# failed count for the respective ip address will be reset to 0
360# if the login is successful.
361#
362# The default is RESET_ON_SUCCESS = no
363#
364#RESET_ON_SUCCESS = yes
365#
366#####################################################################
367
0dd10d1d
MB		 368######################################################################
369#
370# PLUGIN_DENY: If set, this value should point to an executable
371# program that will be invoked when a host is added to the
372# HOSTS_DENY file. This executable will be passed the host
373# that will be added as it's only argument.
374#
375#PLUGIN_DENY=/usr/bin/true
376#
377######################################################################
378
379
380######################################################################
381#
382# PLUGIN_PURGE: If set, this value should point to an executable
383# program that will be invoked when a host is removed from the
384# HOSTS_DENY file. This executable will be passed the host
385# that is to be purged as it's only argument.
386#
387#PLUGIN_PURGE=/usr/bin/true
388#
389######################################################################
390
400edb92
MB		 391######################################################################
392#
393# USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain
394# a regular expression that can be used to identify additional
395# hackers for your particular ssh configuration. This functionality
396# extends the built-in regular expressions that DenyHosts uses.
397# This parameter can be specified multiple times.
398# See this faq entry for more details:
399# http://denyhosts.sf.net/faq.html#userdef_regex
400#
401#USERDEF_FAILED_ENTRY_REGEX=
402#
403#
404######################################################################
405
406
407
0dd10d1d
MB		 408
409 ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########
6b557d34 410
411
400edb92 412
6b557d34 413#######################################################################
414#
415# DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag)
416# this is the logfile that DenyHosts uses to report it's status.
417# To disable logging, leave blank. (default is: /var/log/denyhosts)
418#
419DAEMON_LOG = /var/log/denyhosts
420#
421# disable logging:
422#DAEMON_LOG =
423#
424######################################################################
425
0dd10d1d
MB		 426#######################################################################
427#
428# DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode
429# (--daemon flag) this specifies the timestamp format of
430# the DAEMON_LOG messages (default is the ISO8061 format:
431# ie. 2005-07-22 10:38:01,745)
432#
433# for possible values for this parameter refer to: man strftime
434#
435# Jan 1 13:05:59
436#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S
437#
438# Jan 1 01:05:59
439#DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S
440#
441######################################################################
400edb92
MB		 442
443#######################################################################
444#
445# DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode
446# (--daemon flag) this specifies the message format of each logged
447# entry. By default the following format is used:
448#
449# %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
450#
451# Where the "%(asctime)s" portion is expanded to the format
452# defined by DAEMON_LOG_TIME_FORMAT
453#
454# This string is passed to python's logging.Formatter contstuctor.
455# For details on the possible format types please refer to:
456# http://docs.python.org/lib/node357.html
457#
458# This is the default:
459#DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
460#
461#
462######################################################################
463
0dd10d1d 464
6b557d34 465#######################################################################
466#
467# DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag)
468# this is the amount of time DenyHosts will sleep between polling
0dd10d1d
MB		 469# the SECURE_LOG. See the comments in the PURGE_DENY section (above)
470# for details on specifying this value or for complete details
471# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
472#
6b557d34 473#
358bb9bc 474DAEMON_SLEEP = 30s
6b557d34 475#
476#######################################################################
477
478#######################################################################
479#
0dd10d1d 480# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode,
6b557d34 481# run the purge mechanism to expire old entries in HOSTS_DENY
6b557d34 482# This has no effect if PURGE_DENY is blank.
483#
484DAEMON_PURGE = 60
485#
486#######################################################################
487
400edb92
MB		 488
489 ######### THESE SETTINGS ARE SPECIFIC TO ##########
490 ######### DAEMON SYNCHRONIZATION ##########
491
492
493#######################################################################
494#
495# Synchronization mode allows the DenyHosts daemon the ability
496# to periodically send and receive denied host data such that
497# DenyHosts daemons worldwide can automatically inform one
498# another regarding banned hosts. This mode is disabled by
499# default, you must uncomment SYNC_SERVER to enable this mode.
500#
501# for more information, please refer to:
502# http:/denyhosts.sourceforge.net/faq.html#sync
503#
504#######################################################################
505
506
507#######################################################################
508#
509# SYNC_SERVER: The central server that communicates with DenyHost
510# daemons. Currently, denyhosts.net is the only available server
511# however, in the future, it may be possible for organizations to
512# install their own server for internal network synchronization
513#
514# To disable synchronization (the default), do nothing.
515#
516# To enable synchronization, you must uncomment the following line:
517#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
518#
519#######################################################################
520
521#######################################################################
522#
523# SYNC_INTERVAL: the interval of time to perform synchronizations if
524# SYNC_SERVER has been uncommented. The default is 1 hour.
525#
526#SYNC_INTERVAL = 1h
527#
528#######################################################################
529
530
531#######################################################################
532#
533# SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have
534# been denied? This option only applies if SYNC_SERVER has
535# been uncommented.
c3be9809 536# The default is SYNC_UPLOAD = yes
400edb92
MB		 537#
538#SYNC_UPLOAD = no
400edb92
MB		 539#SYNC_UPLOAD = yes
540#
541#######################################################################
542
543
544#######################################################################
545#
546# SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have
547# been denied by others? This option only applies if SYNC_SERVER has
548# been uncommented.
c3be9809 549# The default is SYNC_DOWNLOAD = yes
400edb92
MB		 550#
551#SYNC_DOWNLOAD = no
400edb92
MB		 552#SYNC_DOWNLOAD = yes
553#
554#######################################################################
555
556#######################################################################
557#
558# SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this paramter
559# filters the returned hosts to those that have been blocked this many
560# times by others. That is, if set to 1, then if a single DenyHosts
561# server has denied an ip address then you will receive the denied host.
c3be9809
RT		 562#
563# See also SYNC_DOWNLOAD_RESILIENCY
400edb92
MB		 564#
565#SYNC_DOWNLOAD_THRESHOLD = 10
566#
c3be9809 567# The default is SYNC_DOWNLOAD_THRESHOLD = 3
400edb92
MB		 568#SYNC_DOWNLOAD_THRESHOLD = 3
569#
570#######################################################################
571
c3be9809
RT		 572#######################################################################
573#
574# SYNC_DOWNLOAD_RESILIENCY: If SYNC_DOWNLOAD is enabled then the
575# value specified for this option limits the downloaded data
576# to this resiliency period or greater.
577#
578# Resiliency is defined as the timespan between a hackers first known
579# attack and it's most recent attack. Example:
580#
581# If the centralized denyhosts.net server records an attack at 2 PM
582# and then again at 5 PM, specifying a SYNC_DOWNLOAD_RESILIENCY = 4h
583# will not download this ip address.
584#
585# However, if the attacker is recorded again at 6:15 PM then the
586# ip address will be downloaded by your DenyHosts instance.
587#
588# This value is used in conjunction with the SYNC_DOWNLOAD_THRESHOLD
589# and only hosts that satisfy both values will be downloaded.
590# This value has no effect if SYNC_DOWNLOAD_THRESHOLD = 1
591#
592# The default is SYNC_DOWNLOAD_RESILIENCY = 5h (5 hours)
593#
594# Only obtain hackers that have been at it for 2 days or more:
595#SYNC_DOWNLOAD_RESILIENCY = 2d
596#
597# Only obtain hackers that have been at it for 5 hours or more:
598#SYNC_DOWNLOAD_RESILIENCY = 5h
599#
600#######################################################################
400edb92 601
Script to help thwart SSH server attacks
This page took 0.16615 seconds and 4 git commands to generate.