# The file to process can be overridden with the --file command line
# argument
#
-# Redhat:
+# Redhat or Fedora Core:
SECURE_LOG = /var/log/secure
#
-# Mandrake or FreeBSD:
+# Mandrake, FreeBSD or OpenBSD:
#SECURE_LOG = /var/log/auth.log
#
# SuSE:
#
########################################################################
-
########################################################################
# HOSTS_DENY: the file which contains restricted host access information
#
#######################################################################
#
-# DENY_THRESHOLD: block each host after the number of failed login
-# attempts has exceeded this value.
+# DENY_THRESHOLD_INVALID: block each host after the number of failed login
+# attempts has exceeded this value. This value applies to invalid
+# user login attempts (eg. non-existent user accounts)
#
-DENY_THRESHOLD = 3
+DENY_THRESHOLD_INVALID = 3
#
#######################################################################
+#######################################################################
+#
+# DENY_THRESHOLD_VALID: block each host after the number of failed
+# login attempts has exceeded this value. This value applies to valid
+# user login attempts (eg. user accounts that exist in /etc/passwd) except
+# for the "root" user
+#
+DENY_THRESHOLD_VALID = 10
+#
+#######################################################################
+
+#######################################################################
+#
+# DENY_THRESHOLD_ROOT: block each host after the number of failed
+# login attempts has exceeded this value. This value applies to
+# "root" user login attempts only.
+#
+DENY_THRESHOLD_ROOT = 1
+#
+#######################################################################
+
+
#######################################################################
#
# WORK_DIR: the path that DenyHosts will use for writing data to
-# (it will be created if it does not already exist).
+# (it will be created if it does not already exist).
+#
+# Note: when run in daemon mode, this directory should be specified
+# as an absolute path name (eg. /home/foo/denyhosts/data)
#
WORK_DIR = /var/lib/DenyHosts
#
# (if available).
#
HOSTNAME_LOOKUP=YES
+#
######################################################################
# Redhat/Fedora:
LOCK_FILE = /var/lock/subsys/denyhosts
#
+# Debian
+#LOCK_FILE = /var/run/denyhosts.pid
+#
+# Misc
#LOCK_FILE = /tmp/denyhosts.lock
-
+#
######################################################################
#
SMTP_HOST = localhost
SMTP_PORT = 25
-SMTP_FROM = DenyHosts
+SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report
+#SMTP_USERNAME=foo
+#SMTP_PASSWORD=bar
#
#######################################################################
+######################################################################
+#
+# ALLOWED_HOSTS_HOSTNAME_LOOKUP
+#
+# ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO
+# If set to YES, for each entry in the WORK_DIR/allowed-hosts file,
+# the hostname will be looked up. If your versions of tcp_wrappers
+# and sshd sometimes log hostnames in addition to ip addresses
+# then you may wish to specify this option.
+#
+#ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
+#
+######################################################################
+
+######################################################################
+#
+# AGE_RESET_VALID: Specifies the period of time between failed login
+# attempts that, when exceeded will result in the failed count for
+# this host to be reset to 0. This value applies to login attempts
+# to all valid users (those within /etc/passwd) with the
+# exception of root. If not defined, this count will never
+# be reset.
+#
+# See the comments in the PURGE_DENY section (above)
+# for details on specifying this value or for complete details
+# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
+#
+AGE_RESET_VALID=5d
+#
+######################################################################
+
+######################################################################
+#
+# AGE_RESET_ROOT: Specifies the period of time between failed login
+# attempts that, when exceeded will result in the failed count for
+# this host to be reset to 0. This value applies to all login
+# attempts to the "root" user account. If not defined,
+# this count will never be reset.
+#
+# See the comments in the PURGE_DENY section (above)
+# for details on specifying this value or for complete details
+# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
+#
+AGE_RESET_ROOT=25d
+#
+######################################################################
+
+######################################################################
+#
+# AGE_RESET_INVALID: Specifies the period of time between failed login
+# attempts that, when exceeded will result in the failed count for
+# this host to be reset to 0. This value applies to login attempts
+# made to any invalid username (those that do not appear
+# in /etc/passwd). If not defined, count will never be reset.
+#
+# See the comments in the PURGE_DENY section (above)
+# for details on specifying this value or for complete details
+# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
+#
+AGE_RESET_INVALID=10d
+#
+######################################################################
+
+######################################################################
+#
+# PLUGIN_DENY: If set, this value should point to an executable
+# program that will be invoked when a host is added to the
+# HOSTS_DENY file. This executable will be passed the host
+# that will be added as it's only argument.
+#
+#PLUGIN_DENY=/usr/bin/true
+#
+######################################################################
+
+
+######################################################################
+#
+# PLUGIN_PURGE: If set, this value should point to an executable
+# program that will be invoked when a host is removed from the
+# HOSTS_DENY file. This executable will be passed the host
+# that is to be purged as it's only argument.
+#
+#PLUGIN_PURGE=/usr/bin/true
+#
+######################################################################
+
+
+ ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########
#######################################################################
#
######################################################################
-
-
+#######################################################################
+#
+# DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode
+# (--daemon flag) this specifies the timestamp format of
+# the DAEMON_LOG messages (default is the ISO8061 format:
+# ie. 2005-07-22 10:38:01,745)
+#
+# for possible values for this parameter refer to: man strftime
+#
+# Jan 1 13:05:59
+#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S
+#
+# Jan 1 01:05:59
+#DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S
+#
+######################################################################
+
#######################################################################
#
# DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag)
# this is the amount of time DenyHosts will sleep between polling
-# the SECURE_LOG. This value is in seconds (default is 30)
+# the SECURE_LOG. See the comments in the PURGE_DENY section (above)
+# for details on specifying this value or for complete details
+# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
+#
#
DAEMON_SLEEP = 30
#
#######################################################################
#
-# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode
+# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode,
# run the purge mechanism to expire old entries in HOSTS_DENY
-# This value is in seconds (default is 3600 seconds = 1 hour)
# This has no effect if PURGE_DENY is blank.
#
DAEMON_PURGE = 60