1 ############ THESE SETTINGS ARE REQUIRED ############
3 ########################################################################
5 # SECURE_LOG: the log file that contains sshd logging info
6 # if you are not sure, grep "sshd:" /var/log/*
8 # The file to process can be overridden with the --file command line
11 # Redhat or Fedora Core:
12 SECURE_LOG = /var/log/secure
14 # Mandrake, FreeBSD or OpenBSD:
15 #SECURE_LOG = /var/log/auth.log
18 #SECURE_LOG = /var/log/messages
20 ########################################################################
22 ########################################################################
23 # HOSTS_DENY: the file which contains restricted host access information
25 # Most operating systems:
26 HOSTS_DENY = /etc/tcpd/hosts.deny
28 # Some BSD (FreeBSD) Unixes:
29 #HOSTS_DENY = /etc/hosts.allow
31 # Another possibility (also see the next option):
32 #HOSTS_DENY = /etc/hosts.evil
33 #######################################################################
36 ########################################################################
37 # PURGE_DENY: removed HOSTS_DENY entries that are older than this time
38 # when DenyHosts is invoked with the --purge flag
41 # Where 'i' is an integer (eg. 7)
51 # purge entries older than 1 week
54 # purge entries older than 5 days
56 #######################################################################
59 #######################################################################
60 # BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
62 # man 5 host_access for details
64 # eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1
66 # To block all services for the offending host:
70 # To only record the offending host and nothing else (if using
71 # an auxilary file to list the hosts). Refer to:
72 # http://denyhosts.sourceforge.net/faq.html#aux
75 #######################################################################
78 #######################################################################
80 # DENY_THRESHOLD_INVALID: block each host after the number of failed login
81 # attempts has exceeded this value. This value applies to invalid
82 # user login attempts (eg. non-existent user accounts)
84 DENY_THRESHOLD_INVALID = 3
86 #######################################################################
88 #######################################################################
90 # DENY_THRESHOLD_VALID: block each host after the number of failed
91 # login attempts has exceeded this value. This value applies to valid
92 # user login attempts (eg. user accounts that exist in /etc/passwd) except
95 DENY_THRESHOLD_VALID = 10
97 #######################################################################
99 #######################################################################
101 # DENY_THRESHOLD_ROOT: block each host after the number of failed
102 # login attempts has exceeded this value. This value applies to
103 # "root" user login attempts only.
105 DENY_THRESHOLD_ROOT = 1
107 #######################################################################
110 #######################################################################
112 # WORK_DIR: the path that DenyHosts will use for writing data to
113 # (it will be created if it does not already exist).
115 # Note: when run in daemon mode, this directory should be specified
116 # as an absolute path name (eg. /home/foo/denyhosts/data)
118 WORK_DIR = /var/lib/DenyHosts
120 #######################################################################
122 #######################################################################
124 # SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS
126 # SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO
127 # If set to YES, if a suspicious login attempt results from an allowed-host
128 # then it is considered suspicious. If this is NO, then suspicious logins
129 # from allowed-hosts will not be reported. All suspicious logins from
130 # ip addresses that are not in allowed-hosts will always be reported.
132 SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
133 ######################################################################
135 ######################################################################
139 # HOSTNAME_LOOKUP=YES|NO
140 # If set to YES, for each IP address that is reported by Denyhosts,
141 # the corresponding hostname will be looked up and reported as well
146 ######################################################################
149 ######################################################################
153 # LOCK_FILE=/path/denyhosts
154 # If this file exists when DenyHosts is run, then DenyHosts will exit
155 # immediately. Otherwise, this file will be created upon invocation
156 # and deleted upon exit. This ensures that only one instance is
160 LOCK_FILE = /var/lock/subsys/denyhosts
163 #LOCK_FILE = /var/run/denyhosts.pid
166 #LOCK_FILE = /tmp/denyhosts.lock
168 ######################################################################
171 ############ THESE SETTINGS ARE OPTIONAL ############
174 #######################################################################
176 # ADMIN_EMAIL: if you would like to receive emails regarding newly
177 # restricted hosts and suspicious logins, set this address to
178 # match your email address. If you do not want to receive these reports
179 # leave this field blank (or run with the --noemail option)
181 ADMIN_EMAIL = root@localhost
183 #######################################################################
185 #######################################################################
187 SMTP_HOST = localhost
189 SMTP_FROM = DenyHosts <nobody@localhost>
190 SMTP_SUBJECT = DenyHosts Report
194 #######################################################################
196 ######################################################################
198 # ALLOWED_HOSTS_HOSTNAME_LOOKUP
200 # ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO
201 # If set to YES, for each entry in the WORK_DIR/allowed-hosts file,
202 # the hostname will be looked up. If your versions of tcp_wrappers
203 # and sshd sometimes log hostnames in addition to ip addresses
204 # then you may wish to specify this option.
206 #ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
208 ######################################################################
210 ######################################################################
212 # AGE_RESET_VALID: Specifies the period of time between failed login
213 # attempts that, when exceeded will result in the failed count for
214 # this host to be reset to 0. This value applies to login attempts
215 # to all valid users (those within /etc/passwd) with the
216 # exception of root. If not defined, this count will never
219 # See the comments in the PURGE_DENY section (above)
220 # for details on specifying this value or for complete details
221 # refer to: http://denyhosts.sourceforge.net/faq.html#timespec
225 ######################################################################
227 ######################################################################
229 # AGE_RESET_ROOT: Specifies the period of time between failed login
230 # attempts that, when exceeded will result in the failed count for
231 # this host to be reset to 0. This value applies to all login
232 # attempts to the "root" user account. If not defined,
233 # this count will never be reset.
235 # See the comments in the PURGE_DENY section (above)
236 # for details on specifying this value or for complete details
237 # refer to: http://denyhosts.sourceforge.net/faq.html#timespec
241 ######################################################################
243 ######################################################################
245 # AGE_RESET_INVALID: Specifies the period of time between failed login
246 # attempts that, when exceeded will result in the failed count for
247 # this host to be reset to 0. This value applies to login attempts
248 # made to any invalid username (those that do not appear
249 # in /etc/passwd). If not defined, count will never be reset.
251 # See the comments in the PURGE_DENY section (above)
252 # for details on specifying this value or for complete details
253 # refer to: http://denyhosts.sourceforge.net/faq.html#timespec
255 AGE_RESET_INVALID=10d
257 ######################################################################
259 ######################################################################
261 # PLUGIN_DENY: If set, this value should point to an executable
262 # program that will be invoked when a host is added to the
263 # HOSTS_DENY file. This executable will be passed the host
264 # that will be added as it's only argument.
266 #PLUGIN_DENY=/usr/bin/true
268 ######################################################################
271 ######################################################################
273 # PLUGIN_PURGE: If set, this value should point to an executable
274 # program that will be invoked when a host is removed from the
275 # HOSTS_DENY file. This executable will be passed the host
276 # that is to be purged as it's only argument.
278 #PLUGIN_PURGE=/usr/bin/true
280 ######################################################################
283 ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########
286 #######################################################################
288 # DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag)
289 # this is the logfile that DenyHosts uses to report it's status.
290 # To disable logging, leave blank. (default is: /var/log/denyhosts)
292 DAEMON_LOG = /var/log/denyhosts
297 ######################################################################
299 #######################################################################
301 # DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode
302 # (--daemon flag) this specifies the timestamp format of
303 # the DAEMON_LOG messages (default is the ISO8061 format:
304 # ie. 2005-07-22 10:38:01,745)
306 # for possible values for this parameter refer to: man strftime
309 #DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S
312 #DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S
314 ######################################################################
316 #######################################################################
318 # DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag)
319 # this is the amount of time DenyHosts will sleep between polling
320 # the SECURE_LOG. See the comments in the PURGE_DENY section (above)
321 # for details on specifying this value or for complete details
322 # refer to: http://denyhosts.sourceforge.net/faq.html#timespec
327 #######################################################################
329 #######################################################################
331 # DAEMON_PURGE: How often should DenyHosts, when run in daemon mode,
332 # run the purge mechanism to expire old entries in HOSTS_DENY
333 # This has no effect if PURGE_DENY is blank.
337 #######################################################################