[packages/DenyHosts.git] / DenyHosts.cfg

       ############ THESE SETTINGS ARE REQUIRED ############

########################################################################
#
# SECURE_LOG: the log file that contains sshd logging info
# if you are not sure, grep "sshd:" /var/log/*
#
# The file to process can be overridden with the --file command line
# argument
#
# Redhat or Fedora Core:
SECURE_LOG = /var/log/secure
#
# Mandrake, FreeBSD or OpenBSD: 
#SECURE_LOG = /var/log/auth.log
#
# SuSE:
#SECURE_LOG = /var/log/messages
#
########################################################################

########################################################################
# HOSTS_DENY: the file which contains restricted host access information
#
# Most operating systems:
HOSTS_DENY = /etc/tcpd/hosts.deny
#
# Some BSD (FreeBSD) Unixes:
#HOSTS_DENY = /etc/hosts.allow
#
# Another possibility (also see the next option):
#HOSTS_DENY = /etc/hosts.evil
#######################################################################

########################################################################
# PURGE_DENY: removed HOSTS_DENY entries that are older than this time
#             when DenyHosts is invoked with the --purge flag
#
#      format is: i[dhwmy]
#      Where 'i' is an integer (eg. 7) 
#            'm' = minutes
#            'h' = hours
#            'd' = days
#            'w' = weeks
#            'y' = years
#
# never purge:
PURGE_DENY = 
#
# purge entries older than 1 week
#PURGE_DENY = 1w
#
# purge entries older than 5 days
#PURGE_DENY = 5d
#######################################################################

#######################################################################
# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
# 
# man 5 hosts_access for details
#
# eg.   sshd: 127.0.0.1  # will block sshd logins from 127.0.0.1
#
# To block all services for the offending host:
#BLOCK_SERVICE = ALL
# To block only sshd:
BLOCK_SERVICE  = sshd
# To only record the offending host and nothing else (if using
# an auxilary file to list the hosts).  Refer to: 
# http://denyhosts.sourceforge.net/faq.html#aux
#BLOCK_SERVICE =    
#
#######################################################################

#######################################################################
#
# DENY_THRESHOLD_INVALID: block each host after the number of failed login 
# attempts has exceeded this value.  This value applies to invalid
# user login attempts (eg. non-existent user accounts)
#
DENY_THRESHOLD_INVALID = 3
#
#######################################################################

#######################################################################
#
# DENY_THRESHOLD_VALID: block each host after the number of failed 
# login attempts has exceeded this value.  This value applies to valid
# user login attempts (eg. user accounts that exist in /etc/passwd) except
# for the "root" user
#
DENY_THRESHOLD_VALID = 10
#
#######################################################################

#######################################################################
#
# DENY_THRESHOLD_ROOT: block each host after the number of failed 
# login attempts has exceeded this value.  This value applies to 
# "root" user login attempts only.
#
DENY_THRESHOLD_ROOT = 1
#
#######################################################################

#######################################################################
#
# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed
# login attempts has exceeded this value.  This value applies to
# usernames that appear in the WORK_DIR/restricted-usernames file only.
#
DENY_THRESHOLD_RESTRICTED = 1
#
#######################################################################

#######################################################################
#
# WORK_DIR: the path that DenyHosts will use for writing data to
# (it will be created if it does not already exist).  
#
# Note: it is recommended that you use an absolute pathname
# for this value (eg. /home/foo/denyhosts/data)
#
WORK_DIR = /var/lib/DenyHosts
#
#######################################################################

#######################################################################
#
# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS
#
# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO
# If set to YES, if a suspicious login attempt results from an allowed-host
# then it is considered suspicious.  If this is NO, then suspicious logins 
# from allowed-hosts will not be reported.  All suspicious logins from 
# ip addresses that are not in allowed-hosts will always be reported.
#
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
######################################################################

######################################################################
#
# HOSTNAME_LOOKUP
#
# HOSTNAME_LOOKUP=YES|NO
# If set to YES, for each IP address that is reported by Denyhosts,
# the corresponding hostname will be looked up and reported as well
# (if available).
#
HOSTNAME_LOOKUP=YES
#
######################################################################

######################################################################
#
# LOCK_FILE
#
# LOCK_FILE=/path/denyhosts
# If this file exists when DenyHosts is run, then DenyHosts will exit
# immediately.  Otherwise, this file will be created upon invocation
# and deleted upon exit.  This ensures that only one instance is
# running at a time.
#
# Redhat/Fedora:
LOCK_FILE = /var/lock/subsys/denyhosts
#
# Debian
#LOCK_FILE = /var/run/denyhosts.pid
#
# Misc
#LOCK_FILE = /tmp/denyhosts.lock
#
######################################################################


       ############ THESE SETTINGS ARE OPTIONAL ############


#######################################################################
#
# ADMIN_EMAIL: if you would like to receive emails regarding newly
# restricted hosts and suspicious logins, set this address to 
# match your email address.  If you do not want to receive these reports
# leave this field blank (or run with the --noemail option)
#
ADMIN_EMAIL = root@localhost
#
#######################################################################

#######################################################################
#
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report
#SMTP_USERNAME=foo
#SMTP_PASSWORD=bar
#
#######################################################################

######################################################################
#
# ALLOWED_HOSTS_HOSTNAME_LOOKUP
#
# ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO
# If set to YES, for each entry in the WORK_DIR/allowed-hosts file,
# the hostname will be looked up.  If your versions of tcp_wrappers
# and sshd sometimes log hostnames in addition to ip addresses
# then you may wish to specify this option.
# 
#ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
#
######################################################################

###################################################################### 
# 
# AGE_RESET_VALID: Specifies the period of time between failed login
# attempts that, when exceeded will result in the failed count for 
# this host to be reset to 0.  This value applies to login attempts 
# to all valid users (those within /etc/passwd) with the 
# exception of root.  If not defined, this count will never
# be reset.
#
# See the comments in the PURGE_DENY section (above) 
# for details on specifying this value or for complete details 
# refer to:  http://denyhosts.sourceforge.net/faq.html#timespec
#
AGE_RESET_VALID=5d
#
######################################################################

###################################################################### 
# 
# AGE_RESET_ROOT: Specifies the period of time between failed login
# attempts that, when exceeded will result in the failed count for 
# this host to be reset to 0.  This value applies to all login 
# attempts to the "root" user account.  If not defined,
# this count will never be reset.
#
# See the comments in the PURGE_DENY section (above) 
# for details on specifying this value or for complete details 
# refer to:  http://denyhosts.sourceforge.net/faq.html#timespec
#
AGE_RESET_ROOT=25d
#
######################################################################

######################################################################
#
# AGE_RESET_RESTRICTED: Specifies the period of time between failed login
# attempts that, when exceeded will result in the failed count for
# this host to be reset to 0.  This value applies to all login
# attempts to entries found in the WORK_DIR/restricted-usernames file.
# If not defined, the count will never be reset.
#
# See the comments in the PURGE_DENY section (above)
# for details on specifying this value or for complete details
# refer to:  http://denyhosts.sourceforge.net/faq.html#timespec
#
AGE_RESET_RESTRICTED=25d
#
######################################################################

###################################################################### 
# 
# AGE_RESET_INVALID: Specifies the period of time between failed login
# attempts that, when exceeded will result in the failed count for 
# this host to be reset to 0.  This value applies to login attempts 
# made to any invalid username (those that do not appear 
# in /etc/passwd).  If not defined, count will never be reset.
#
# See the comments in the PURGE_DENY section (above) 
# for details on specifying this value or for complete details 
# refer to:  http://denyhosts.sourceforge.net/faq.html#timespec
#
AGE_RESET_INVALID=10d
#
######################################################################

######################################################################
#
# RESET_ON_SUCCESS: If this parameter is set to "yes" then the
# failed count for the respective ip address will be reset to 0
# if the login is successful.
#
# The default is RESET_ON_SUCCESS = no
#
#RESET_ON_SUCCESS = yes
#
#####################################################################

######################################################################
#
# PLUGIN_DENY: If set, this value should point to an executable
# program that will be invoked when a host is added to the
# HOSTS_DENY file.  This executable will be passed the host
# that will be added as it's only argument.
#
#PLUGIN_DENY=/usr/bin/true
#
######################################################################


######################################################################
#
# PLUGIN_PURGE: If set, this value should point to an executable
# program that will be invoked when a host is removed from the
# HOSTS_DENY file.  This executable will be passed the host
# that is to be purged as it's only argument.
#
#PLUGIN_PURGE=/usr/bin/true
#
######################################################################

######################################################################
#
# USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain
# a regular expression that can be used to identify additional
# hackers for your particular ssh configuration.  This functionality
# extends the built-in regular expressions that DenyHosts uses.
# This parameter can be specified multiple times.
# See this faq entry for more details:
#    http://denyhosts.sf.net/faq.html#userdef_regex
#
#USERDEF_FAILED_ENTRY_REGEX=
#
#
######################################################################


   ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE  ##########


#######################################################################
#
# DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag)
# this is the logfile that DenyHosts uses to report it's status.
# To disable logging, leave blank.  (default is: /var/log/denyhosts)
#
DAEMON_LOG = /var/log/denyhosts
#
# disable logging:
#DAEMON_LOG = 
#
######################################################################

#######################################################################
# 
# DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode 
# (--daemon flag) this specifies the timestamp format of 
# the DAEMON_LOG messages (default is the ISO8061 format:
# ie. 2005-07-22 10:38:01,745)
#
# for possible values for this parameter refer to: man strftime
#
# Jan 1 13:05:59   
#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S
#
# Jan 1 01:05:59 
#DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S
#
###################################################################### 

#######################################################################
# 
# DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode 
# (--daemon flag) this specifies the message format of each logged
# entry.  By default the following format is used:
#
# %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
#
# Where the "%(asctime)s" portion is expanded to the format
# defined by DAEMON_LOG_TIME_FORMAT
#
# This string is passed to python's logging.Formatter contstuctor.
# For details on the possible format types please refer to:
# http://docs.python.org/lib/node357.html
#
# This is the default:
#DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
#
#
###################################################################### 

 
#######################################################################
#
# DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag)
# this is the amount of time DenyHosts will sleep between polling
# the SECURE_LOG.  See the comments in the PURGE_DENY section (above)
# for details on specifying this value or for complete details
# refer to:    http://denyhosts.sourceforge.net/faq.html#timespec
# 
#
DAEMON_SLEEP = 30
#
#######################################################################

#######################################################################
#
# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode,
# run the purge mechanism to expire old entries in HOSTS_DENY
# This has no effect if PURGE_DENY is blank.
#
DAEMON_PURGE = 60
#
#######################################################################


   #########   THESE SETTINGS ARE SPECIFIC TO     ##########
   #########       DAEMON SYNCHRONIZATION         ##########


#######################################################################
#
# Synchronization mode allows the DenyHosts daemon the ability
# to periodically send and receive denied host data such that 
# DenyHosts daemons worldwide can automatically inform one
# another regarding banned hosts.   This mode is disabled by
# default, you must uncomment SYNC_SERVER to enable this mode.
#
# for more information, please refer to: 
#        http:/denyhosts.sourceforge.net/faq.html#sync 
#
#######################################################################


#######################################################################
#
# SYNC_SERVER: The central server that communicates with DenyHost
# daemons.  Currently, denyhosts.net is the only available server
# however, in the future, it may be possible for organizations to
# install their own server for internal network synchronization
#
# To disable synchronization (the default), do nothing. 
#
# To enable synchronization, you must uncomment the following line:
#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
#
#######################################################################

#######################################################################
#
# SYNC_INTERVAL: the interval of time to perform synchronizations if
# SYNC_SERVER has been uncommented.  The default is 1 hour.
# 
#SYNC_INTERVAL = 1h
#
#######################################################################


#######################################################################
#
# SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have
# been denied?  This option only applies if SYNC_SERVER has
# been uncommented.
# The default is SYNC_UPLOAD = yes
#
#SYNC_UPLOAD = no
#
#SYNC_UPLOAD = yes
#
#######################################################################


#######################################################################
#
# SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have
# been denied by others?  This option only applies if SYNC_SERVER has
# been uncommented.
# The default is SYNC_DOWNLOAD = yes
#
#SYNC_DOWNLOAD = no
#
#SYNC_DOWNLOAD = yes
#
#######################################################################

#######################################################################
#
# SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this paramter
# filters the returned hosts to those that have been blocked this many
# times by others.  That is, if set to 1, then if a single DenyHosts
# server has denied an ip address then you will receive the denied host.
#
# See also SYNC_DOWNLOAD_RESILIENCY
# 
#SYNC_DOWNLOAD_THRESHOLD = 10
#
# The default is SYNC_DOWNLOAD_THRESHOLD = 3
#SYNC_DOWNLOAD_THRESHOLD = 3
# 
#######################################################################

#######################################################################
#
# SYNC_DOWNLOAD_RESILIENCY:  If SYNC_DOWNLOAD is enabled then the
# value specified for this option limits the downloaded data
# to this resiliency period or greater.
#
# Resiliency is defined as the timespan between a hackers first known
# attack and it's most recent attack.  Example:
#
# If the centralized   denyhosts.net server records an attack at 2 PM
# and then again at 5 PM, specifying a SYNC_DOWNLOAD_RESILIENCY = 4h
# will not download this ip address.
#
# However, if the attacker is recorded again at 6:15 PM then the
# ip address will be downloaded by your DenyHosts instance.
#
# This value is used in conjunction with the SYNC_DOWNLOAD_THRESHOLD
# and only hosts that satisfy both values will be downloaded.
# This value has no effect if SYNC_DOWNLOAD_THRESHOLD = 1
#
# The default is SYNC_DOWNLOAD_RESILIENCY = 5h (5 hours)
#
# Only obtain hackers that have been at it for 2 days or more:
#SYNC_DOWNLOAD_RESILIENCY = 2d
#
# Only obtain hackers that have been at it for 5 hours or more:
#SYNC_DOWNLOAD_RESILIENCY = 5h
#
#######################################################################
Commit	Line	Data
6b557d34	1	############ THESE SETTINGS ARE REQUIRED ############
cb64b9ac	2
	3	########################################################################
	4	#
	5	# SECURE_LOG: the log file that contains sshd logging info
	6	# if you are not sure, grep "sshd:" /var/log/*
	7	#
	8	# The file to process can be overridden with the --file command line
	9	# argument
	10	#
0dd10d1d	11	# Redhat or Fedora Core:
cb64b9ac	12	SECURE_LOG = /var/log/secure
cb64b9ac	13	#
0dd10d1d	14	# Mandrake, FreeBSD or OpenBSD:
cb64b9ac	15	#SECURE_LOG = /var/log/auth.log
	16	#
	17	# SuSE:
	18	#SECURE_LOG = /var/log/messages
	19	#
	20	########################################################################
	21
	22	########################################################################
	23	# HOSTS_DENY: the file which contains restricted host access information
	24	#
6b557d34	25	# Most operating systems:
cb64b9ac	26	HOSTS_DENY = /etc/tcpd/hosts.deny
cb64b9ac	27	#
6b557d34	28	# Some BSD (FreeBSD) Unixes:
	29	#HOSTS_DENY = /etc/hosts.allow
	30	#
	31	# Another possibility (also see the next option):
	32	#HOSTS_DENY = /etc/hosts.evil
	33	#######################################################################
	34
6b557d34	35	########################################################################
	36	# PURGE_DENY: removed HOSTS_DENY entries that are older than this time
	37	# when DenyHosts is invoked with the --purge flag
	38	#
	39	# format is: i[dhwmy]
	40	# Where 'i' is an integer (eg. 7)
	41	# 'm' = minutes
	42	# 'h' = hours
	43	# 'd' = days
	44	# 'w' = weeks
	45	# 'y' = years
	46	#
	47	# never purge:
	48	PURGE_DENY =
	49	#
	50	# purge entries older than 1 week
	51	#PURGE_DENY = 1w
	52	#
	53	# purge entries older than 5 days
	54	#PURGE_DENY = 5d
cb64b9ac	55	#######################################################################
cb64b9ac	56
cb64b9ac	57	#######################################################################
	58	# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
	59	#
400edb92	60	# man 5 hosts_access for details
cb64b9ac	61	#
6b557d34	62	# eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1
cb64b9ac	63	#
	64	# To block all services for the offending host:
	65	#BLOCK_SERVICE = ALL
	66	# To block only sshd:
6b557d34	67	BLOCK_SERVICE = sshd
	68	# To only record the offending host and nothing else (if using
	69	# an auxilary file to list the hosts). Refer to:
	70	# http://denyhosts.sourceforge.net/faq.html#aux
	71	#BLOCK_SERVICE =
cb64b9ac	72	#
	73	#######################################################################
	74
	75	#######################################################################
	76	#
0dd10d1d MB	77	# DENY_THRESHOLD_INVALID: block each host after the number of failed login
	78	# attempts has exceeded this value. This value applies to invalid
	79	# user login attempts (eg. non-existent user accounts)
cb64b9ac	80	#
0dd10d1d	81	DENY_THRESHOLD_INVALID = 3
cb64b9ac	82	#
	83	#######################################################################
	84
0dd10d1d MB	85	#######################################################################
	86	#
	87	# DENY_THRESHOLD_VALID: block each host after the number of failed
	88	# login attempts has exceeded this value. This value applies to valid
	89	# user login attempts (eg. user accounts that exist in /etc/passwd) except
	90	# for the "root" user
	91	#
	92	DENY_THRESHOLD_VALID = 10
	93	#
	94	#######################################################################
	95
	96	#######################################################################
	97	#
	98	# DENY_THRESHOLD_ROOT: block each host after the number of failed
	99	# login attempts has exceeded this value. This value applies to
	100	# "root" user login attempts only.
	101	#
	102	DENY_THRESHOLD_ROOT = 1
	103	#
	104	#######################################################################
	105
c3be9809 RT	106	#######################################################################
	107	#
	108	# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed
	109	# login attempts has exceeded this value. This value applies to
	110	# usernames that appear in the WORK_DIR/restricted-usernames file only.
	111	#
	112	DENY_THRESHOLD_RESTRICTED = 1
	113	#
	114	#######################################################################
0dd10d1d	115
cb64b9ac	116	#######################################################################
	117	#
	118	# WORK_DIR: the path that DenyHosts will use for writing data to
0dd10d1d MB	119	# (it will be created if it does not already exist).
0dd10d1d MB	120	#
c3be9809 RT	121	# Note: it is recommended that you use an absolute pathname
c3be9809 RT	122	# for this value (eg. /home/foo/denyhosts/data)
6b557d34	123	#
6b557d34	124	WORK_DIR = /var/lib/DenyHosts
cb64b9ac	125	#
	126	#######################################################################
	127
6b557d34	128	#######################################################################
	129	#
	130	# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS
	131	#
	132	# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES\|NO
	133	# If set to YES, if a suspicious login attempt results from an allowed-host
	134	# then it is considered suspicious. If this is NO, then suspicious logins
	135	# from allowed-hosts will not be reported. All suspicious logins from
	136	# ip addresses that are not in allowed-hosts will always be reported.
	137	#
	138	SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
	139	######################################################################
	140
	141	######################################################################
	142	#
	143	# HOSTNAME_LOOKUP
	144	#
	145	# HOSTNAME_LOOKUP=YES\|NO
	146	# If set to YES, for each IP address that is reported by Denyhosts,
	147	# the corresponding hostname will be looked up and reported as well
	148	# (if available).
	149	#
	150	HOSTNAME_LOOKUP=YES
0dd10d1d	151	#
6b557d34	152	######################################################################
cb64b9ac	153
6b557d34	154	######################################################################
	155	#
	156	# LOCK_FILE
	157	#
	158	# LOCK_FILE=/path/denyhosts
	159	# If this file exists when DenyHosts is run, then DenyHosts will exit
	160	# immediately. Otherwise, this file will be created upon invocation
	161	# and deleted upon exit. This ensures that only one instance is
	162	# running at a time.
	163	#
	164	# Redhat/Fedora:
	165	LOCK_FILE = /var/lock/subsys/denyhosts
	166	#
0dd10d1d MB	167	# Debian
	168	#LOCK_FILE = /var/run/denyhosts.pid
	169	#
	170	# Misc
6b557d34	171	#LOCK_FILE = /tmp/denyhosts.lock
0dd10d1d	172	#
6b557d34	173	######################################################################
	174
	175
	176	############ THESE SETTINGS ARE OPTIONAL ############
cb64b9ac	177
	178
	179	#######################################################################
	180	#
	181	# ADMIN_EMAIL: if you would like to receive emails regarding newly
	182	# restricted hosts and suspicious logins, set this address to
	183	# match your email address. If you do not want to receive these reports
	184	# leave this field blank (or run with the --noemail option)
	185	#
	186	ADMIN_EMAIL = root@localhost
	187	#
	188	#######################################################################
	189
	190	#######################################################################
	191	#
	192	SMTP_HOST = localhost
	193	SMTP_PORT = 25
0dd10d1d	194	SMTP_FROM = DenyHosts <nobody@localhost>
cb64b9ac	195	SMTP_SUBJECT = DenyHosts Report
0dd10d1d MB	196	#SMTP_USERNAME=foo
0dd10d1d MB	197	#SMTP_PASSWORD=bar
cb64b9ac	198	#
	199	#######################################################################
	200
0dd10d1d MB	201	######################################################################
	202	#
	203	# ALLOWED_HOSTS_HOSTNAME_LOOKUP
	204	#
	205	# ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES\|NO
	206	# If set to YES, for each entry in the WORK_DIR/allowed-hosts file,
	207	# the hostname will be looked up. If your versions of tcp_wrappers
	208	# and sshd sometimes log hostnames in addition to ip addresses
	209	# then you may wish to specify this option.
	210	#
	211	#ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
	212	#
	213	######################################################################
	214
	215	######################################################################
	216	#
	217	# AGE_RESET_VALID: Specifies the period of time between failed login
	218	# attempts that, when exceeded will result in the failed count for
	219	# this host to be reset to 0. This value applies to login attempts
	220	# to all valid users (those within /etc/passwd) with the
	221	# exception of root. If not defined, this count will never
	222	# be reset.
	223	#
	224	# See the comments in the PURGE_DENY section (above)
	225	# for details on specifying this value or for complete details
	226	# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
	227	#
	228	AGE_RESET_VALID=5d
	229	#
	230	######################################################################
	231
	232	######################################################################
	233	#
	234	# AGE_RESET_ROOT: Specifies the period of time between failed login
	235	# attempts that, when exceeded will result in the failed count for
	236	# this host to be reset to 0. This value applies to all login
	237	# attempts to the "root" user account. If not defined,
	238	# this count will never be reset.
	239	#
	240	# See the comments in the PURGE_DENY section (above)
	241	# for details on specifying this value or for complete details
	242	# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
	243	#
	244	AGE_RESET_ROOT=25d
	245	#
	246	######################################################################
	247
c3be9809 RT	248	######################################################################
	249	#
	250	# AGE_RESET_RESTRICTED: Specifies the period of time between failed login
	251	# attempts that, when exceeded will result in the failed count for
	252	# this host to be reset to 0. This value applies to all login
	253	# attempts to entries found in the WORK_DIR/restricted-usernames file.
	254	# If not defined, the count will never be reset.
	255	#
	256	# See the comments in the PURGE_DENY section (above)
	257	# for details on specifying this value or for complete details
	258	# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
	259	#
	260	AGE_RESET_RESTRICTED=25d
	261	#
	262	######################################################################
	263
0dd10d1d MB	264	######################################################################
	265	#
	266	# AGE_RESET_INVALID: Specifies the period of time between failed login
	267	# attempts that, when exceeded will result in the failed count for
	268	# this host to be reset to 0. This value applies to login attempts
	269	# made to any invalid username (those that do not appear
	270	# in /etc/passwd). If not defined, count will never be reset.
	271	#
	272	# See the comments in the PURGE_DENY section (above)
	273	# for details on specifying this value or for complete details
	274	# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
	275	#
	276	AGE_RESET_INVALID=10d
	277	#
	278	######################################################################
	279
c3be9809 RT	280	######################################################################
	281	#
	282	# RESET_ON_SUCCESS: If this parameter is set to "yes" then the
	283	# failed count for the respective ip address will be reset to 0
	284	# if the login is successful.
	285	#
	286	# The default is RESET_ON_SUCCESS = no
	287	#
	288	#RESET_ON_SUCCESS = yes
	289	#
	290	#####################################################################
	291
0dd10d1d MB	292	######################################################################
	293	#
	294	# PLUGIN_DENY: If set, this value should point to an executable
	295	# program that will be invoked when a host is added to the
	296	# HOSTS_DENY file. This executable will be passed the host
	297	# that will be added as it's only argument.
	298	#
	299	#PLUGIN_DENY=/usr/bin/true
	300	#
	301	######################################################################
	302
	303
	304	######################################################################
	305	#
	306	# PLUGIN_PURGE: If set, this value should point to an executable
	307	# program that will be invoked when a host is removed from the
	308	# HOSTS_DENY file. This executable will be passed the host
	309	# that is to be purged as it's only argument.
	310	#
	311	#PLUGIN_PURGE=/usr/bin/true
	312	#
	313	######################################################################
	314
400edb92 MB	315	######################################################################
	316	#
	317	# USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain
	318	# a regular expression that can be used to identify additional
	319	# hackers for your particular ssh configuration. This functionality
	320	# extends the built-in regular expressions that DenyHosts uses.
	321	# This parameter can be specified multiple times.
	322	# See this faq entry for more details:
	323	# http://denyhosts.sf.net/faq.html#userdef_regex
	324	#
	325	#USERDEF_FAILED_ENTRY_REGEX=
	326	#
	327	#
	328	######################################################################
	329
	330
	331
0dd10d1d MB	332
0dd10d1d MB	333	######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########
6b557d34	334
6b557d34	335
400edb92	336
6b557d34	337	#######################################################################
	338	#
	339	# DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag)
	340	# this is the logfile that DenyHosts uses to report it's status.
	341	# To disable logging, leave blank. (default is: /var/log/denyhosts)
	342	#
	343	DAEMON_LOG = /var/log/denyhosts
	344	#
	345	# disable logging:
	346	#DAEMON_LOG =
	347	#
	348	######################################################################
	349
0dd10d1d MB	350	#######################################################################
	351	#
	352	# DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode
	353	# (--daemon flag) this specifies the timestamp format of
	354	# the DAEMON_LOG messages (default is the ISO8061 format:
	355	# ie. 2005-07-22 10:38:01,745)
	356	#
	357	# for possible values for this parameter refer to: man strftime
	358	#
	359	# Jan 1 13:05:59
	360	#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S
	361	#
	362	# Jan 1 01:05:59
	363	#DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S
	364	#
	365	######################################################################
400edb92 MB	366
	367	#######################################################################
	368	#
	369	# DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode
	370	# (--daemon flag) this specifies the message format of each logged
	371	# entry. By default the following format is used:
	372	#
	373	# %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
	374	#
	375	# Where the "%(asctime)s" portion is expanded to the format
	376	# defined by DAEMON_LOG_TIME_FORMAT
	377	#
	378	# This string is passed to python's logging.Formatter contstuctor.
	379	# For details on the possible format types please refer to:
	380	# http://docs.python.org/lib/node357.html
	381	#
	382	# This is the default:
	383	#DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
	384	#
	385	#
	386	######################################################################
	387
0dd10d1d	388
6b557d34	389	#######################################################################
	390	#
	391	# DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag)
	392	# this is the amount of time DenyHosts will sleep between polling
0dd10d1d MB	393	# the SECURE_LOG. See the comments in the PURGE_DENY section (above)
	394	# for details on specifying this value or for complete details
	395	# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
	396	#
6b557d34	397	#
	398	DAEMON_SLEEP = 30
	399	#
	400	#######################################################################
	401
	402	#######################################################################
	403	#
0dd10d1d	404	# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode,
6b557d34	405	# run the purge mechanism to expire old entries in HOSTS_DENY
6b557d34	406	# This has no effect if PURGE_DENY is blank.
	407	#
	408	DAEMON_PURGE = 60
	409	#
	410	#######################################################################
	411
400edb92 MB	412
	413	######### THESE SETTINGS ARE SPECIFIC TO ##########
	414	######### DAEMON SYNCHRONIZATION ##########
	415
	416
	417	#######################################################################
	418	#
	419	# Synchronization mode allows the DenyHosts daemon the ability
	420	# to periodically send and receive denied host data such that
	421	# DenyHosts daemons worldwide can automatically inform one
	422	# another regarding banned hosts. This mode is disabled by
	423	# default, you must uncomment SYNC_SERVER to enable this mode.
	424	#
	425	# for more information, please refer to:
	426	# http:/denyhosts.sourceforge.net/faq.html#sync
	427	#
	428	#######################################################################
	429
	430
	431	#######################################################################
	432	#
	433	# SYNC_SERVER: The central server that communicates with DenyHost
	434	# daemons. Currently, denyhosts.net is the only available server
	435	# however, in the future, it may be possible for organizations to
	436	# install their own server for internal network synchronization
	437	#
	438	# To disable synchronization (the default), do nothing.
	439	#
	440	# To enable synchronization, you must uncomment the following line:
	441	#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
	442	#
	443	#######################################################################
	444
	445	#######################################################################
	446	#
	447	# SYNC_INTERVAL: the interval of time to perform synchronizations if
	448	# SYNC_SERVER has been uncommented. The default is 1 hour.
	449	#
	450	#SYNC_INTERVAL = 1h
	451	#
	452	#######################################################################
	453
	454
	455	#######################################################################
	456	#
	457	# SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have
	458	# been denied? This option only applies if SYNC_SERVER has
	459	# been uncommented.
c3be9809	460	# The default is SYNC_UPLOAD = yes
400edb92 MB	461	#
	462	#SYNC_UPLOAD = no
	463	#
400edb92 MB	464	#SYNC_UPLOAD = yes
	465	#
	466	#######################################################################
	467
	468
	469	#######################################################################
	470	#
	471	# SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have
	472	# been denied by others? This option only applies if SYNC_SERVER has
	473	# been uncommented.
c3be9809	474	# The default is SYNC_DOWNLOAD = yes
400edb92 MB	475	#
	476	#SYNC_DOWNLOAD = no
	477	#
400edb92 MB	478	#SYNC_DOWNLOAD = yes
	479	#
	480	#######################################################################
	481
	482	#######################################################################
	483	#
	484	# SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this paramter
	485	# filters the returned hosts to those that have been blocked this many
	486	# times by others. That is, if set to 1, then if a single DenyHosts
	487	# server has denied an ip address then you will receive the denied host.
c3be9809 RT	488	#
c3be9809 RT	489	# See also SYNC_DOWNLOAD_RESILIENCY
400edb92 MB	490	#
	491	#SYNC_DOWNLOAD_THRESHOLD = 10
	492	#
c3be9809	493	# The default is SYNC_DOWNLOAD_THRESHOLD = 3
400edb92 MB	494	#SYNC_DOWNLOAD_THRESHOLD = 3
	495	#
	496	#######################################################################
	497
c3be9809 RT	498	#######################################################################
	499	#
	500	# SYNC_DOWNLOAD_RESILIENCY: If SYNC_DOWNLOAD is enabled then the
	501	# value specified for this option limits the downloaded data
	502	# to this resiliency period or greater.
	503	#
	504	# Resiliency is defined as the timespan between a hackers first known
	505	# attack and it's most recent attack. Example:
	506	#
	507	# If the centralized denyhosts.net server records an attack at 2 PM
	508	# and then again at 5 PM, specifying a SYNC_DOWNLOAD_RESILIENCY = 4h
	509	# will not download this ip address.
	510	#
	511	# However, if the attacker is recorded again at 6:15 PM then the
	512	# ip address will be downloaded by your DenyHosts instance.
	513	#
	514	# This value is used in conjunction with the SYNC_DOWNLOAD_THRESHOLD
	515	# and only hosts that satisfy both values will be downloaded.
	516	# This value has no effect if SYNC_DOWNLOAD_THRESHOLD = 1
	517	#
	518	# The default is SYNC_DOWNLOAD_RESILIENCY = 5h (5 hours)
	519	#
	520	# Only obtain hackers that have been at it for 2 days or more:
	521	#SYNC_DOWNLOAD_RESILIENCY = 2d
	522	#
	523	# Only obtain hackers that have been at it for 5 hours or more:
	524	#SYNC_DOWNLOAD_RESILIENCY = 5h
	525	#
	526	#######################################################################
400edb92	527