]>
Commit | Line | Data |
---|---|---|
6b557d34 | 1 | ############ THESE SETTINGS ARE REQUIRED ############ |
cb64b9ac | 2 | |
3 | ######################################################################## | |
4 | # | |
5 | # SECURE_LOG: the log file that contains sshd logging info | |
6 | # if you are not sure, grep "sshd:" /var/log/* | |
7 | # | |
8 | # The file to process can be overridden with the --file command line | |
9 | # argument | |
10 | # | |
0dd10d1d | 11 | # Redhat or Fedora Core: |
cb64b9ac | 12 | SECURE_LOG = /var/log/secure |
13 | # | |
0dd10d1d | 14 | # Mandrake, FreeBSD or OpenBSD: |
cb64b9ac | 15 | #SECURE_LOG = /var/log/auth.log |
16 | # | |
17 | # SuSE: | |
18 | #SECURE_LOG = /var/log/messages | |
19 | # | |
20 | ######################################################################## | |
21 | ||
22 | ######################################################################## | |
23 | # HOSTS_DENY: the file which contains restricted host access information | |
24 | # | |
6b557d34 | 25 | # Most operating systems: |
cb64b9ac | 26 | HOSTS_DENY = /etc/tcpd/hosts.deny |
27 | # | |
6b557d34 | 28 | # Some BSD (FreeBSD) Unixes: |
29 | #HOSTS_DENY = /etc/hosts.allow | |
30 | # | |
31 | # Another possibility (also see the next option): | |
32 | #HOSTS_DENY = /etc/hosts.evil | |
33 | ####################################################################### | |
34 | ||
6b557d34 | 35 | ######################################################################## |
36 | # PURGE_DENY: removed HOSTS_DENY entries that are older than this time | |
37 | # when DenyHosts is invoked with the --purge flag | |
38 | # | |
39 | # format is: i[dhwmy] | |
40 | # Where 'i' is an integer (eg. 7) | |
41 | # 'm' = minutes | |
42 | # 'h' = hours | |
43 | # 'd' = days | |
44 | # 'w' = weeks | |
45 | # 'y' = years | |
46 | # | |
47 | # never purge: | |
48 | PURGE_DENY = | |
49 | # | |
50 | # purge entries older than 1 week | |
51 | #PURGE_DENY = 1w | |
52 | # | |
53 | # purge entries older than 5 days | |
54 | #PURGE_DENY = 5d | |
cb64b9ac | 55 | ####################################################################### |
56 | ||
cb64b9ac | 57 | ####################################################################### |
58 | # BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY | |
59 | # | |
400edb92 | 60 | # man 5 hosts_access for details |
cb64b9ac | 61 | # |
6b557d34 | 62 | # eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1 |
cb64b9ac | 63 | # |
64 | # To block all services for the offending host: | |
65 | #BLOCK_SERVICE = ALL | |
66 | # To block only sshd: | |
6b557d34 | 67 | BLOCK_SERVICE = sshd |
68 | # To only record the offending host and nothing else (if using | |
69 | # an auxilary file to list the hosts). Refer to: | |
70 | # http://denyhosts.sourceforge.net/faq.html#aux | |
71 | #BLOCK_SERVICE = | |
cb64b9ac | 72 | # |
73 | ####################################################################### | |
74 | ||
75 | ####################################################################### | |
76 | # | |
0dd10d1d MB |
77 | # DENY_THRESHOLD_INVALID: block each host after the number of failed login |
78 | # attempts has exceeded this value. This value applies to invalid | |
79 | # user login attempts (eg. non-existent user accounts) | |
cb64b9ac | 80 | # |
0dd10d1d | 81 | DENY_THRESHOLD_INVALID = 3 |
cb64b9ac | 82 | # |
83 | ####################################################################### | |
84 | ||
0dd10d1d MB |
85 | ####################################################################### |
86 | # | |
87 | # DENY_THRESHOLD_VALID: block each host after the number of failed | |
88 | # login attempts has exceeded this value. This value applies to valid | |
89 | # user login attempts (eg. user accounts that exist in /etc/passwd) except | |
90 | # for the "root" user | |
91 | # | |
92 | DENY_THRESHOLD_VALID = 10 | |
93 | # | |
94 | ####################################################################### | |
95 | ||
96 | ####################################################################### | |
97 | # | |
98 | # DENY_THRESHOLD_ROOT: block each host after the number of failed | |
99 | # login attempts has exceeded this value. This value applies to | |
100 | # "root" user login attempts only. | |
101 | # | |
102 | DENY_THRESHOLD_ROOT = 1 | |
103 | # | |
104 | ####################################################################### | |
105 | ||
c3be9809 RT |
106 | ####################################################################### |
107 | # | |
108 | # DENY_THRESHOLD_RESTRICTED: block each host after the number of failed | |
109 | # login attempts has exceeded this value. This value applies to | |
110 | # usernames that appear in the WORK_DIR/restricted-usernames file only. | |
111 | # | |
112 | DENY_THRESHOLD_RESTRICTED = 1 | |
113 | # | |
114 | ####################################################################### | |
0dd10d1d | 115 | |
cb64b9ac | 116 | ####################################################################### |
117 | # | |
118 | # WORK_DIR: the path that DenyHosts will use for writing data to | |
0dd10d1d MB |
119 | # (it will be created if it does not already exist). |
120 | # | |
c3be9809 RT |
121 | # Note: it is recommended that you use an absolute pathname |
122 | # for this value (eg. /home/foo/denyhosts/data) | |
6b557d34 | 123 | # |
124 | WORK_DIR = /var/lib/DenyHosts | |
cb64b9ac | 125 | # |
126 | ####################################################################### | |
127 | ||
6b557d34 | 128 | ####################################################################### |
129 | # | |
130 | # SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS | |
131 | # | |
132 | # SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO | |
133 | # If set to YES, if a suspicious login attempt results from an allowed-host | |
134 | # then it is considered suspicious. If this is NO, then suspicious logins | |
135 | # from allowed-hosts will not be reported. All suspicious logins from | |
136 | # ip addresses that are not in allowed-hosts will always be reported. | |
137 | # | |
138 | SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES | |
139 | ###################################################################### | |
140 | ||
141 | ###################################################################### | |
142 | # | |
143 | # HOSTNAME_LOOKUP | |
144 | # | |
145 | # HOSTNAME_LOOKUP=YES|NO | |
146 | # If set to YES, for each IP address that is reported by Denyhosts, | |
147 | # the corresponding hostname will be looked up and reported as well | |
148 | # (if available). | |
149 | # | |
150 | HOSTNAME_LOOKUP=YES | |
0dd10d1d | 151 | # |
6b557d34 | 152 | ###################################################################### |
cb64b9ac | 153 | |
6b557d34 | 154 | ###################################################################### |
155 | # | |
156 | # LOCK_FILE | |
157 | # | |
158 | # LOCK_FILE=/path/denyhosts | |
159 | # If this file exists when DenyHosts is run, then DenyHosts will exit | |
160 | # immediately. Otherwise, this file will be created upon invocation | |
161 | # and deleted upon exit. This ensures that only one instance is | |
162 | # running at a time. | |
163 | # | |
164 | # Redhat/Fedora: | |
165 | LOCK_FILE = /var/lock/subsys/denyhosts | |
166 | # | |
0dd10d1d MB |
167 | # Debian |
168 | #LOCK_FILE = /var/run/denyhosts.pid | |
169 | # | |
170 | # Misc | |
6b557d34 | 171 | #LOCK_FILE = /tmp/denyhosts.lock |
0dd10d1d | 172 | # |
6b557d34 | 173 | ###################################################################### |
174 | ||
175 | ||
176 | ############ THESE SETTINGS ARE OPTIONAL ############ | |
cb64b9ac | 177 | |
178 | ||
179 | ####################################################################### | |
180 | # | |
181 | # ADMIN_EMAIL: if you would like to receive emails regarding newly | |
182 | # restricted hosts and suspicious logins, set this address to | |
183 | # match your email address. If you do not want to receive these reports | |
184 | # leave this field blank (or run with the --noemail option) | |
185 | # | |
186 | ADMIN_EMAIL = root@localhost | |
187 | # | |
188 | ####################################################################### | |
189 | ||
190 | ####################################################################### | |
191 | # | |
192 | SMTP_HOST = localhost | |
193 | SMTP_PORT = 25 | |
0dd10d1d | 194 | SMTP_FROM = DenyHosts <nobody@localhost> |
cb64b9ac | 195 | SMTP_SUBJECT = DenyHosts Report |
0dd10d1d MB |
196 | #SMTP_USERNAME=foo |
197 | #SMTP_PASSWORD=bar | |
cb64b9ac | 198 | # |
199 | ####################################################################### | |
200 | ||
0dd10d1d MB |
201 | ###################################################################### |
202 | # | |
203 | # ALLOWED_HOSTS_HOSTNAME_LOOKUP | |
204 | # | |
205 | # ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO | |
206 | # If set to YES, for each entry in the WORK_DIR/allowed-hosts file, | |
207 | # the hostname will be looked up. If your versions of tcp_wrappers | |
208 | # and sshd sometimes log hostnames in addition to ip addresses | |
209 | # then you may wish to specify this option. | |
210 | # | |
211 | #ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO | |
212 | # | |
213 | ###################################################################### | |
214 | ||
215 | ###################################################################### | |
216 | # | |
217 | # AGE_RESET_VALID: Specifies the period of time between failed login | |
218 | # attempts that, when exceeded will result in the failed count for | |
219 | # this host to be reset to 0. This value applies to login attempts | |
220 | # to all valid users (those within /etc/passwd) with the | |
221 | # exception of root. If not defined, this count will never | |
222 | # be reset. | |
223 | # | |
224 | # See the comments in the PURGE_DENY section (above) | |
225 | # for details on specifying this value or for complete details | |
226 | # refer to: http://denyhosts.sourceforge.net/faq.html#timespec | |
227 | # | |
228 | AGE_RESET_VALID=5d | |
229 | # | |
230 | ###################################################################### | |
231 | ||
232 | ###################################################################### | |
233 | # | |
234 | # AGE_RESET_ROOT: Specifies the period of time between failed login | |
235 | # attempts that, when exceeded will result in the failed count for | |
236 | # this host to be reset to 0. This value applies to all login | |
237 | # attempts to the "root" user account. If not defined, | |
238 | # this count will never be reset. | |
239 | # | |
240 | # See the comments in the PURGE_DENY section (above) | |
241 | # for details on specifying this value or for complete details | |
242 | # refer to: http://denyhosts.sourceforge.net/faq.html#timespec | |
243 | # | |
244 | AGE_RESET_ROOT=25d | |
245 | # | |
246 | ###################################################################### | |
247 | ||
c3be9809 RT |
248 | ###################################################################### |
249 | # | |
250 | # AGE_RESET_RESTRICTED: Specifies the period of time between failed login | |
251 | # attempts that, when exceeded will result in the failed count for | |
252 | # this host to be reset to 0. This value applies to all login | |
253 | # attempts to entries found in the WORK_DIR/restricted-usernames file. | |
254 | # If not defined, the count will never be reset. | |
255 | # | |
256 | # See the comments in the PURGE_DENY section (above) | |
257 | # for details on specifying this value or for complete details | |
258 | # refer to: http://denyhosts.sourceforge.net/faq.html#timespec | |
259 | # | |
260 | AGE_RESET_RESTRICTED=25d | |
261 | # | |
262 | ###################################################################### | |
263 | ||
0dd10d1d MB |
264 | ###################################################################### |
265 | # | |
266 | # AGE_RESET_INVALID: Specifies the period of time between failed login | |
267 | # attempts that, when exceeded will result in the failed count for | |
268 | # this host to be reset to 0. This value applies to login attempts | |
269 | # made to any invalid username (those that do not appear | |
270 | # in /etc/passwd). If not defined, count will never be reset. | |
271 | # | |
272 | # See the comments in the PURGE_DENY section (above) | |
273 | # for details on specifying this value or for complete details | |
274 | # refer to: http://denyhosts.sourceforge.net/faq.html#timespec | |
275 | # | |
276 | AGE_RESET_INVALID=10d | |
277 | # | |
278 | ###################################################################### | |
279 | ||
c3be9809 RT |
280 | ###################################################################### |
281 | # | |
282 | # RESET_ON_SUCCESS: If this parameter is set to "yes" then the | |
283 | # failed count for the respective ip address will be reset to 0 | |
284 | # if the login is successful. | |
285 | # | |
286 | # The default is RESET_ON_SUCCESS = no | |
287 | # | |
288 | #RESET_ON_SUCCESS = yes | |
289 | # | |
290 | ##################################################################### | |
291 | ||
0dd10d1d MB |
292 | ###################################################################### |
293 | # | |
294 | # PLUGIN_DENY: If set, this value should point to an executable | |
295 | # program that will be invoked when a host is added to the | |
296 | # HOSTS_DENY file. This executable will be passed the host | |
297 | # that will be added as it's only argument. | |
298 | # | |
299 | #PLUGIN_DENY=/usr/bin/true | |
300 | # | |
301 | ###################################################################### | |
302 | ||
303 | ||
304 | ###################################################################### | |
305 | # | |
306 | # PLUGIN_PURGE: If set, this value should point to an executable | |
307 | # program that will be invoked when a host is removed from the | |
308 | # HOSTS_DENY file. This executable will be passed the host | |
309 | # that is to be purged as it's only argument. | |
310 | # | |
311 | #PLUGIN_PURGE=/usr/bin/true | |
312 | # | |
313 | ###################################################################### | |
314 | ||
400edb92 MB |
315 | ###################################################################### |
316 | # | |
317 | # USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain | |
318 | # a regular expression that can be used to identify additional | |
319 | # hackers for your particular ssh configuration. This functionality | |
320 | # extends the built-in regular expressions that DenyHosts uses. | |
321 | # This parameter can be specified multiple times. | |
322 | # See this faq entry for more details: | |
323 | # http://denyhosts.sf.net/faq.html#userdef_regex | |
324 | # | |
325 | #USERDEF_FAILED_ENTRY_REGEX= | |
326 | # | |
327 | # | |
328 | ###################################################################### | |
329 | ||
330 | ||
331 | ||
0dd10d1d MB |
332 | |
333 | ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ########## | |
6b557d34 | 334 | |
335 | ||
400edb92 | 336 | |
6b557d34 | 337 | ####################################################################### |
338 | # | |
339 | # DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag) | |
340 | # this is the logfile that DenyHosts uses to report it's status. | |
341 | # To disable logging, leave blank. (default is: /var/log/denyhosts) | |
342 | # | |
343 | DAEMON_LOG = /var/log/denyhosts | |
344 | # | |
345 | # disable logging: | |
346 | #DAEMON_LOG = | |
347 | # | |
348 | ###################################################################### | |
349 | ||
0dd10d1d MB |
350 | ####################################################################### |
351 | # | |
352 | # DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode | |
353 | # (--daemon flag) this specifies the timestamp format of | |
354 | # the DAEMON_LOG messages (default is the ISO8061 format: | |
355 | # ie. 2005-07-22 10:38:01,745) | |
356 | # | |
357 | # for possible values for this parameter refer to: man strftime | |
358 | # | |
359 | # Jan 1 13:05:59 | |
360 | #DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S | |
361 | # | |
362 | # Jan 1 01:05:59 | |
363 | #DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S | |
364 | # | |
365 | ###################################################################### | |
400edb92 MB |
366 | |
367 | ####################################################################### | |
368 | # | |
369 | # DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode | |
370 | # (--daemon flag) this specifies the message format of each logged | |
371 | # entry. By default the following format is used: | |
372 | # | |
373 | # %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s | |
374 | # | |
375 | # Where the "%(asctime)s" portion is expanded to the format | |
376 | # defined by DAEMON_LOG_TIME_FORMAT | |
377 | # | |
378 | # This string is passed to python's logging.Formatter contstuctor. | |
379 | # For details on the possible format types please refer to: | |
380 | # http://docs.python.org/lib/node357.html | |
381 | # | |
382 | # This is the default: | |
383 | #DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s | |
384 | # | |
385 | # | |
386 | ###################################################################### | |
387 | ||
0dd10d1d | 388 | |
6b557d34 | 389 | ####################################################################### |
390 | # | |
391 | # DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag) | |
392 | # this is the amount of time DenyHosts will sleep between polling | |
0dd10d1d MB |
393 | # the SECURE_LOG. See the comments in the PURGE_DENY section (above) |
394 | # for details on specifying this value or for complete details | |
395 | # refer to: http://denyhosts.sourceforge.net/faq.html#timespec | |
396 | # | |
6b557d34 | 397 | # |
398 | DAEMON_SLEEP = 30 | |
399 | # | |
400 | ####################################################################### | |
401 | ||
402 | ####################################################################### | |
403 | # | |
0dd10d1d | 404 | # DAEMON_PURGE: How often should DenyHosts, when run in daemon mode, |
6b557d34 | 405 | # run the purge mechanism to expire old entries in HOSTS_DENY |
6b557d34 | 406 | # This has no effect if PURGE_DENY is blank. |
407 | # | |
408 | DAEMON_PURGE = 60 | |
409 | # | |
410 | ####################################################################### | |
411 | ||
400edb92 MB |
412 | |
413 | ######### THESE SETTINGS ARE SPECIFIC TO ########## | |
414 | ######### DAEMON SYNCHRONIZATION ########## | |
415 | ||
416 | ||
417 | ####################################################################### | |
418 | # | |
419 | # Synchronization mode allows the DenyHosts daemon the ability | |
420 | # to periodically send and receive denied host data such that | |
421 | # DenyHosts daemons worldwide can automatically inform one | |
422 | # another regarding banned hosts. This mode is disabled by | |
423 | # default, you must uncomment SYNC_SERVER to enable this mode. | |
424 | # | |
425 | # for more information, please refer to: | |
426 | # http:/denyhosts.sourceforge.net/faq.html#sync | |
427 | # | |
428 | ####################################################################### | |
429 | ||
430 | ||
431 | ####################################################################### | |
432 | # | |
433 | # SYNC_SERVER: The central server that communicates with DenyHost | |
434 | # daemons. Currently, denyhosts.net is the only available server | |
435 | # however, in the future, it may be possible for organizations to | |
436 | # install their own server for internal network synchronization | |
437 | # | |
438 | # To disable synchronization (the default), do nothing. | |
439 | # | |
440 | # To enable synchronization, you must uncomment the following line: | |
441 | #SYNC_SERVER = http://xmlrpc.denyhosts.net:9911 | |
442 | # | |
443 | ####################################################################### | |
444 | ||
445 | ####################################################################### | |
446 | # | |
447 | # SYNC_INTERVAL: the interval of time to perform synchronizations if | |
448 | # SYNC_SERVER has been uncommented. The default is 1 hour. | |
449 | # | |
450 | #SYNC_INTERVAL = 1h | |
451 | # | |
452 | ####################################################################### | |
453 | ||
454 | ||
455 | ####################################################################### | |
456 | # | |
457 | # SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have | |
458 | # been denied? This option only applies if SYNC_SERVER has | |
459 | # been uncommented. | |
c3be9809 | 460 | # The default is SYNC_UPLOAD = yes |
400edb92 MB |
461 | # |
462 | #SYNC_UPLOAD = no | |
463 | # | |
400edb92 MB |
464 | #SYNC_UPLOAD = yes |
465 | # | |
466 | ####################################################################### | |
467 | ||
468 | ||
469 | ####################################################################### | |
470 | # | |
471 | # SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have | |
472 | # been denied by others? This option only applies if SYNC_SERVER has | |
473 | # been uncommented. | |
c3be9809 | 474 | # The default is SYNC_DOWNLOAD = yes |
400edb92 MB |
475 | # |
476 | #SYNC_DOWNLOAD = no | |
477 | # | |
400edb92 MB |
478 | #SYNC_DOWNLOAD = yes |
479 | # | |
480 | ####################################################################### | |
481 | ||
482 | ####################################################################### | |
483 | # | |
484 | # SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this paramter | |
485 | # filters the returned hosts to those that have been blocked this many | |
486 | # times by others. That is, if set to 1, then if a single DenyHosts | |
487 | # server has denied an ip address then you will receive the denied host. | |
c3be9809 RT |
488 | # |
489 | # See also SYNC_DOWNLOAD_RESILIENCY | |
400edb92 MB |
490 | # |
491 | #SYNC_DOWNLOAD_THRESHOLD = 10 | |
492 | # | |
c3be9809 | 493 | # The default is SYNC_DOWNLOAD_THRESHOLD = 3 |
400edb92 MB |
494 | #SYNC_DOWNLOAD_THRESHOLD = 3 |
495 | # | |
496 | ####################################################################### | |
497 | ||
c3be9809 RT |
498 | ####################################################################### |
499 | # | |
500 | # SYNC_DOWNLOAD_RESILIENCY: If SYNC_DOWNLOAD is enabled then the | |
501 | # value specified for this option limits the downloaded data | |
502 | # to this resiliency period or greater. | |
503 | # | |
504 | # Resiliency is defined as the timespan between a hackers first known | |
505 | # attack and it's most recent attack. Example: | |
506 | # | |
507 | # If the centralized denyhosts.net server records an attack at 2 PM | |
508 | # and then again at 5 PM, specifying a SYNC_DOWNLOAD_RESILIENCY = 4h | |
509 | # will not download this ip address. | |
510 | # | |
511 | # However, if the attacker is recorded again at 6:15 PM then the | |
512 | # ip address will be downloaded by your DenyHosts instance. | |
513 | # | |
514 | # This value is used in conjunction with the SYNC_DOWNLOAD_THRESHOLD | |
515 | # and only hosts that satisfy both values will be downloaded. | |
516 | # This value has no effect if SYNC_DOWNLOAD_THRESHOLD = 1 | |
517 | # | |
518 | # The default is SYNC_DOWNLOAD_RESILIENCY = 5h (5 hours) | |
519 | # | |
520 | # Only obtain hackers that have been at it for 2 days or more: | |
521 | #SYNC_DOWNLOAD_RESILIENCY = 2d | |
522 | # | |
523 | # Only obtain hackers that have been at it for 5 hours or more: | |
524 | #SYNC_DOWNLOAD_RESILIENCY = 5h | |
525 | # | |
526 | ####################################################################### | |
400edb92 | 527 |