]> git.pld-linux.org Git - packages/DenyHosts.git/blame - DenyHosts.cfg
projects / packages / DenyHosts.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- rel. 2 for rebuild with python 2.5
[packages/DenyHosts.git] / DenyHosts.cfg
CommitLineData
6b557d34 1 ############ THESE SETTINGS ARE REQUIRED ############
cb64b9ac 2
3########################################################################
4#
5# SECURE_LOG: the log file that contains sshd logging info
6# if you are not sure, grep "sshd:" /var/log/*
7#
8# The file to process can be overridden with the --file command line
9# argument
10#
0dd10d1d 11# Redhat or Fedora Core:
cb64b9ac 12SECURE_LOG = /var/log/secure
13#
0dd10d1d 14# Mandrake, FreeBSD or OpenBSD:
cb64b9ac 15#SECURE_LOG = /var/log/auth.log
16#
17# SuSE:
18#SECURE_LOG = /var/log/messages
19#
99447933 20# Mac OS X (v10.4 or greater -
55eeb5c2
RT		 21# also refer to: http://www.denyhosts.net/faq.html#macos
22#SECURE_LOG = /private/var/log/asl.log
23#
24# Mac OS X (v10.3 or earlier):
25#SECURE_LOG=/private/var/log/system.log
26#
cb64b9ac 27########################################################################
28
29########################################################################
99447933 30#
cb64b9ac 31# HOSTS_DENY: the file which contains restricted host access information
32#
6b557d34 33# Most operating systems:
cb64b9ac 34HOSTS_DENY = /etc/tcpd/hosts.deny
35#
6b557d34 36# Some BSD (FreeBSD) Unixes:
37#HOSTS_DENY = /etc/hosts.allow
38#
39# Another possibility (also see the next option):
40#HOSTS_DENY = /etc/hosts.evil
41#######################################################################
42
99447933 43
6b557d34 44########################################################################
99447933 45#
6b557d34 46# PURGE_DENY: removed HOSTS_DENY entries that are older than this time
47# when DenyHosts is invoked with the --purge flag
48#
49# format is: i[dhwmy]
50# Where 'i' is an integer (eg. 7)
51# 'm' = minutes
52# 'h' = hours
53# 'd' = days
54# 'w' = weeks
55# 'y' = years
56#
57# never purge:
58PURGE_DENY =
59#
60# purge entries older than 1 week
61#PURGE_DENY = 1w
62#
63# purge entries older than 5 days
64#PURGE_DENY = 5d
cb64b9ac 65#######################################################################
66
55eeb5c2
RT		 67#######################################################################
68#
99447933
MB		 69# PURGE_THRESHOLD: defines the maximum times a host will be purged.
70# Once this value has been exceeded then this host will not be purged.
55eeb5c2
RT		 71# Setting this parameter to 0 (the default) disables this feature.
72#
73# default: a denied host can be purged/re-added indefinitely
74#PURGE_THRESHOLD = 0
75#
99447933
MB		 76# a denied host will be purged at most 2 times.
77#PURGE_THRESHOLD = 2
55eeb5c2
RT		 78#
79#######################################################################
80
99447933 81
cb64b9ac 82#######################################################################
99447933 83#
cb64b9ac 84# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
85#
400edb92 86# man 5 hosts_access for details
cb64b9ac 87#
6b557d34 88# eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1
cb64b9ac 89#
90# To block all services for the offending host:
91#BLOCK_SERVICE = ALL
92# To block only sshd:
6b557d34 93BLOCK_SERVICE = sshd
94# To only record the offending host and nothing else (if using
95# an auxilary file to list the hosts). Refer to:
96# http://denyhosts.sourceforge.net/faq.html#aux
97#BLOCK_SERVICE =
cb64b9ac 98#
99#######################################################################
100
99447933 101
cb64b9ac 102#######################################################################
103#
0dd10d1d
MB		 104# DENY_THRESHOLD_INVALID: block each host after the number of failed login
105# attempts has exceeded this value. This value applies to invalid
106# user login attempts (eg. non-existent user accounts)
cb64b9ac 107#
0dd10d1d 108DENY_THRESHOLD_INVALID = 3
cb64b9ac 109#
110#######################################################################
111
0dd10d1d
MB		 112#######################################################################
113#
114# DENY_THRESHOLD_VALID: block each host after the number of failed
115# login attempts has exceeded this value. This value applies to valid
116# user login attempts (eg. user accounts that exist in /etc/passwd) except
117# for the "root" user
118#
119DENY_THRESHOLD_VALID = 10
120#
121#######################################################################
122
123#######################################################################
124#
125# DENY_THRESHOLD_ROOT: block each host after the number of failed
126# login attempts has exceeded this value. This value applies to
127# "root" user login attempts only.
128#
129DENY_THRESHOLD_ROOT = 1
130#
131#######################################################################
132
99447933 133
c3be9809
RT		 134#######################################################################
135#
99447933
MB		 136# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed
137# login attempts has exceeded this value. This value applies to
c3be9809
RT		 138# usernames that appear in the WORK_DIR/restricted-usernames file only.
139#
140DENY_THRESHOLD_RESTRICTED = 1
141#
142#######################################################################
0dd10d1d 143
99447933 144
cb64b9ac 145#######################################################################
146#
147# WORK_DIR: the path that DenyHosts will use for writing data to
0dd10d1d
MB		 148# (it will be created if it does not already exist).
149#
c3be9809
RT		 150# Note: it is recommended that you use an absolute pathname
151# for this value (eg. /home/foo/denyhosts/data)
6b557d34 152#
153WORK_DIR = /var/lib/DenyHosts
cb64b9ac 154#
155#######################################################################
156
6b557d34 157#######################################################################
158#
159# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS
160#
161# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO
162# If set to YES, if a suspicious login attempt results from an allowed-host
163# then it is considered suspicious. If this is NO, then suspicious logins
164# from allowed-hosts will not be reported. All suspicious logins from
165# ip addresses that are not in allowed-hosts will always be reported.
166#
167SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
168######################################################################
169
170######################################################################
171#
172# HOSTNAME_LOOKUP
173#
174# HOSTNAME_LOOKUP=YES|NO
175# If set to YES, for each IP address that is reported by Denyhosts,
176# the corresponding hostname will be looked up and reported as well
177# (if available).
178#
179HOSTNAME_LOOKUP=YES
0dd10d1d 180#
6b557d34 181######################################################################
cb64b9ac 182
99447933 183
6b557d34 184######################################################################
185#
186# LOCK_FILE
187#
188# LOCK_FILE=/path/denyhosts
189# If this file exists when DenyHosts is run, then DenyHosts will exit
190# immediately. Otherwise, this file will be created upon invocation
191# and deleted upon exit. This ensures that only one instance is
192# running at a time.
193#
194# Redhat/Fedora:
195LOCK_FILE = /var/lock/subsys/denyhosts
196#
0dd10d1d
MB		 197# Debian
198#LOCK_FILE = /var/run/denyhosts.pid
199#
200# Misc
6b557d34 201#LOCK_FILE = /tmp/denyhosts.lock
0dd10d1d 202#
6b557d34 203######################################################################
204
205
206 ############ THESE SETTINGS ARE OPTIONAL ############
cb64b9ac 207
208
209#######################################################################
210#
211# ADMIN_EMAIL: if you would like to receive emails regarding newly
212# restricted hosts and suspicious logins, set this address to
213# match your email address. If you do not want to receive these reports
214# leave this field blank (or run with the --noemail option)
215#
99447933
MB		 216# Multiple email addresses can be delimited by a comma, eg:
217# ADMIN_EMAIL = foo@bar.com, bar@foo.com, etc@foobar.com
218#
cb64b9ac 219ADMIN_EMAIL = root@localhost
220#
221#######################################################################
222
223#######################################################################
224#
99447933
MB		 225# SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email
226# reports (see ADMIN_EMAIL) then these settings specify the
358bb9bc 227# email server address (SMTP_HOST) and the server port (SMTP_PORT)
99447933 228#
358bb9bc 229#
cb64b9ac 230SMTP_HOST = localhost
231SMTP_PORT = 25
358bb9bc
RT		 232#
233#######################################################################
234
235#######################################################################
99447933
MB		 236#
237# SMTP_USERNAME and SMTP_PASSWORD: set these parameters if your
358bb9bc
RT		 238# smtp email server requires authentication
239#
0dd10d1d
MB		 240#SMTP_USERNAME=foo
241#SMTP_PASSWORD=bar
cb64b9ac 242#
99447933 243######################################################################
cb64b9ac 244
358bb9bc
RT		 245#######################################################################
246#
247# SMTP_FROM: you can specify the "From:" address in messages sent
248# from DenyHosts when it reports thwarted abuse attempts
249#
250SMTP_FROM = DenyHosts <nobody@localhost>
251#
252#######################################################################
253
254#######################################################################
255#
256# SMTP_SUBJECT: you can specify the "Subject:" of messages sent
257# by DenyHosts when it reports thwarted abuse attempts
258SMTP_SUBJECT = DenyHosts Report
259#
260######################################################################
261
262######################################################################
263#
264# SMTP_DATE_FORMAT: specifies the format used for the "Date:" header
265# when sending email messages.
266#
267# for possible values for this parameter refer to: man strftime
268#
269# the default:
270#
271#SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z
272#
273######################################################################
274
55eeb5c2
RT		 275######################################################################
276#
277# SYSLOG_REPORT
278#
279# SYSLOG_REPORT=YES|NO
280# If set to yes, when denied hosts are recorded the report data
281# will be sent to syslog (syslog must be present on your system).
282# The default is: NO
283#
284#SYSLOG_REPORT=NO
285#
286#SYSLOG_REPORT=YES
287#
288######################################################################
289
0dd10d1d
MB		 290######################################################################
291#
292# ALLOWED_HOSTS_HOSTNAME_LOOKUP
293#
294# ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO
295# If set to YES, for each entry in the WORK_DIR/allowed-hosts file,
296# the hostname will be looked up. If your versions of tcp_wrappers
297# and sshd sometimes log hostnames in addition to ip addresses
298# then you may wish to specify this option.
299#
300#ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
301#
302######################################################################
303
304######################################################################
305#
306# AGE_RESET_VALID: Specifies the period of time between failed login
307# attempts that, when exceeded will result in the failed count for
308# this host to be reset to 0. This value applies to login attempts
309# to all valid users (those within /etc/passwd) with the
310# exception of root. If not defined, this count will never
311# be reset.
312#
313# See the comments in the PURGE_DENY section (above)
314# for details on specifying this value or for complete details
315# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
316#
317AGE_RESET_VALID=5d
318#
319######################################################################
320
321######################################################################
322#
323# AGE_RESET_ROOT: Specifies the period of time between failed login
324# attempts that, when exceeded will result in the failed count for
325# this host to be reset to 0. This value applies to all login
326# attempts to the "root" user account. If not defined,
327# this count will never be reset.
328#
329# See the comments in the PURGE_DENY section (above)
330# for details on specifying this value or for complete details
331# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
332#
333AGE_RESET_ROOT=25d
334#
335######################################################################
336
99447933
MB		 337######################################################################
338#
c3be9809 339# AGE_RESET_RESTRICTED: Specifies the period of time between failed login
99447933
MB		 340# attempts that, when exceeded will result in the failed count for
341# this host to be reset to 0. This value applies to all login
342# attempts to entries found in the WORK_DIR/restricted-usernames file.
c3be9809
RT		 343# If not defined, the count will never be reset.
344#
99447933
MB		 345# See the comments in the PURGE_DENY section (above)
346# for details on specifying this value or for complete details
c3be9809
RT		 347# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
348#
349AGE_RESET_RESTRICTED=25d
350#
351######################################################################
352
99447933 353
0dd10d1d
MB		 354######################################################################
355#
356# AGE_RESET_INVALID: Specifies the period of time between failed login
357# attempts that, when exceeded will result in the failed count for
358# this host to be reset to 0. This value applies to login attempts
359# made to any invalid username (those that do not appear
360# in /etc/passwd). If not defined, count will never be reset.
361#
362# See the comments in the PURGE_DENY section (above)
363# for details on specifying this value or for complete details
364# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
365#
366AGE_RESET_INVALID=10d
367#
368######################################################################
369
99447933 370
c3be9809
RT		 371######################################################################
372#
373# RESET_ON_SUCCESS: If this parameter is set to "yes" then the
374# failed count for the respective ip address will be reset to 0
99447933 375# if the login is successful.
c3be9809
RT		 376#
377# The default is RESET_ON_SUCCESS = no
378#
379#RESET_ON_SUCCESS = yes
380#
381#####################################################################
382
99447933 383
0dd10d1d
MB		 384######################################################################
385#
386# PLUGIN_DENY: If set, this value should point to an executable
387# program that will be invoked when a host is added to the
388# HOSTS_DENY file. This executable will be passed the host
389# that will be added as it's only argument.
390#
391#PLUGIN_DENY=/usr/bin/true
392#
393######################################################################
394
395
396######################################################################
397#
398# PLUGIN_PURGE: If set, this value should point to an executable
399# program that will be invoked when a host is removed from the
400# HOSTS_DENY file. This executable will be passed the host
401# that is to be purged as it's only argument.
402#
403#PLUGIN_PURGE=/usr/bin/true
404#
405######################################################################
406
400edb92
MB		 407######################################################################
408#
409# USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain
410# a regular expression that can be used to identify additional
411# hackers for your particular ssh configuration. This functionality
412# extends the built-in regular expressions that DenyHosts uses.
413# This parameter can be specified multiple times.
414# See this faq entry for more details:
415# http://denyhosts.sf.net/faq.html#userdef_regex
416#
417#USERDEF_FAILED_ENTRY_REGEX=
418#
419#
420######################################################################
421
422
423
0dd10d1d
MB		 424
425 ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########
6b557d34 426
427
400edb92 428
6b557d34 429#######################################################################
430#
431# DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag)
432# this is the logfile that DenyHosts uses to report it's status.
433# To disable logging, leave blank. (default is: /var/log/denyhosts)
434#
435DAEMON_LOG = /var/log/denyhosts
436#
437# disable logging:
438#DAEMON_LOG =
439#
440######################################################################
441
0dd10d1d
MB		 442#######################################################################
443#
444# DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode
445# (--daemon flag) this specifies the timestamp format of
446# the DAEMON_LOG messages (default is the ISO8061 format:
447# ie. 2005-07-22 10:38:01,745)
448#
449# for possible values for this parameter refer to: man strftime
450#
451# Jan 1 13:05:59
452#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S
453#
454# Jan 1 01:05:59
455#DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S
456#
457######################################################################
400edb92
MB		 458
459#######################################################################
460#
461# DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode
462# (--daemon flag) this specifies the message format of each logged
463# entry. By default the following format is used:
464#
465# %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
466#
467# Where the "%(asctime)s" portion is expanded to the format
468# defined by DAEMON_LOG_TIME_FORMAT
469#
470# This string is passed to python's logging.Formatter contstuctor.
471# For details on the possible format types please refer to:
472# http://docs.python.org/lib/node357.html
473#
474# This is the default:
475#DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
476#
477#
478######################################################################
479
0dd10d1d 480
6b557d34 481#######################################################################
482#
483# DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag)
484# this is the amount of time DenyHosts will sleep between polling
0dd10d1d
MB		 485# the SECURE_LOG. See the comments in the PURGE_DENY section (above)
486# for details on specifying this value or for complete details
487# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
488#
6b557d34 489#
358bb9bc 490DAEMON_SLEEP = 30s
6b557d34 491#
492#######################################################################
493
494#######################################################################
495#
0dd10d1d 496# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode,
6b557d34 497# run the purge mechanism to expire old entries in HOSTS_DENY
6b557d34 498# This has no effect if PURGE_DENY is blank.
499#
500DAEMON_PURGE = 60
501#
502#######################################################################
503
400edb92
MB		 504
505 ######### THESE SETTINGS ARE SPECIFIC TO ##########
506 ######### DAEMON SYNCHRONIZATION ##########
507
508
509#######################################################################
510#
511# Synchronization mode allows the DenyHosts daemon the ability
512# to periodically send and receive denied host data such that
513# DenyHosts daemons worldwide can automatically inform one
514# another regarding banned hosts. This mode is disabled by
515# default, you must uncomment SYNC_SERVER to enable this mode.
516#
517# for more information, please refer to:
518# http:/denyhosts.sourceforge.net/faq.html#sync
519#
520#######################################################################
521
522
523#######################################################################
524#
525# SYNC_SERVER: The central server that communicates with DenyHost
526# daemons. Currently, denyhosts.net is the only available server
527# however, in the future, it may be possible for organizations to
528# install their own server for internal network synchronization
529#
530# To disable synchronization (the default), do nothing.
531#
532# To enable synchronization, you must uncomment the following line:
533#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
534#
535#######################################################################
536
537#######################################################################
538#
539# SYNC_INTERVAL: the interval of time to perform synchronizations if
540# SYNC_SERVER has been uncommented. The default is 1 hour.
541#
542#SYNC_INTERVAL = 1h
543#
544#######################################################################
545
546
547#######################################################################
548#
549# SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have
550# been denied? This option only applies if SYNC_SERVER has
551# been uncommented.
c3be9809 552# The default is SYNC_UPLOAD = yes
400edb92
MB		 553#
554#SYNC_UPLOAD = no
400edb92
MB		 555#SYNC_UPLOAD = yes
556#
557#######################################################################
558
559
560#######################################################################
561#
562# SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have
563# been denied by others? This option only applies if SYNC_SERVER has
564# been uncommented.
c3be9809 565# The default is SYNC_DOWNLOAD = yes
400edb92
MB		 566#
567#SYNC_DOWNLOAD = no
400edb92
MB		 568#SYNC_DOWNLOAD = yes
569#
99447933
MB		 570#
571#
400edb92
MB		 572#######################################################################
573
574#######################################################################
575#
576# SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this paramter
577# filters the returned hosts to those that have been blocked this many
578# times by others. That is, if set to 1, then if a single DenyHosts
579# server has denied an ip address then you will receive the denied host.
580#
99447933
MB		 581# See also SYNC_DOWNLOAD_RESILIENCY
582#
400edb92
MB		 583#SYNC_DOWNLOAD_THRESHOLD = 10
584#
99447933
MB		 585# The default is SYNC_DOWNLOAD_THRESHOLD = 3
586#
400edb92 587#SYNC_DOWNLOAD_THRESHOLD = 3
99447933 588#
400edb92
MB		 589#######################################################################
590
c3be9809
RT		 591#######################################################################
592#
593# SYNC_DOWNLOAD_RESILIENCY: If SYNC_DOWNLOAD is enabled then the
594# value specified for this option limits the downloaded data
595# to this resiliency period or greater.
596#
99447933 597# Resiliency is defined as the timespan between a hackers first known
c3be9809 598# attack and it's most recent attack. Example:
99447933
MB		 599#
600# If the centralized denyhosts.net server records an attack at 2 PM
601# and then again at 5 PM, specifying a SYNC_DOWNLOAD_RESILIENCY = 4h
c3be9809
RT		 602# will not download this ip address.
603#
99447933
MB		 604# However, if the attacker is recorded again at 6:15 PM then the
605# ip address will be downloaded by your DenyHosts instance.
c3be9809 606#
99447933
MB		 607# This value is used in conjunction with the SYNC_DOWNLOAD_THRESHOLD
608# and only hosts that satisfy both values will be downloaded.
609# This value has no effect if SYNC_DOWNLOAD_THRESHOLD = 1
c3be9809
RT		 610#
611# The default is SYNC_DOWNLOAD_RESILIENCY = 5h (5 hours)
612#
613# Only obtain hackers that have been at it for 2 days or more:
614#SYNC_DOWNLOAD_RESILIENCY = 2d
615#
616# Only obtain hackers that have been at it for 5 hours or more:
617#SYNC_DOWNLOAD_RESILIENCY = 5h
618#
619#######################################################################
400edb92 620
Script to help thwart SSH server attacks
This page took 0.203411 seconds and 4 git commands to generate.