/denyhosts.conf
Config | 622 lines | 554 code | 68 blank | 0 comment | 0 complexity | ee380750666cb6961f64922f34be4b20 MD5 | raw file
1 ############ THESE SETTINGS ARE REQUIRED ############ 2 3######################################################################## 4# 5# SECURE_LOG: the log file that contains sshd logging info 6# if you are not sure, grep "sshd:" /var/log/* 7# 8# The file to process can be overridden with the --file command line 9# argument 10# 11# Redhat or Fedora Core: 12#SECURE_LOG = /var/log/secure 13# 14# Mandrake, FreeBSD or OpenBSD: 15#SECURE_LOG = /var/log/auth.log 16# 17# SuSE: 18#SECURE_LOG = /var/log/messages 19# 20# Mac OS X (v10.4 or greater - 21# also refer to: http://www.denyhosts.net/faq.html#macos 22#SECURE_LOG = /private/var/log/asl.log 23# 24# Mac OS X (v10.3 or earlier): 25#SECURE_LOG=/private/var/log/system.log 26# 27# Debian: 28SECURE_LOG = /var/log/auth.log 29######################################################################## 30 31######################################################################## 32# 33# HOSTS_DENY: the file which contains restricted host access information 34# 35# Most operating systems: 36HOSTS_DENY = /etc/hosts.deny 37# 38# Some BSD (FreeBSD) Unixes: 39#HOSTS_DENY = /etc/hosts.allow 40# 41# Another possibility (also see the next option): 42#HOSTS_DENY = /etc/hosts.evil 43####################################################################### 44 45 46######################################################################## 47# 48# PURGE_DENY: removed HOSTS_DENY entries that are older than this time 49# when DenyHosts is invoked with the --purge flag 50# 51# format is: i[dhwmy] 52# Where 'i' is an integer (eg. 7) 53# 'm' = minutes 54# 'h' = hours 55# 'd' = days 56# 'w' = weeks 57# 'y' = years 58# 59# never purge: 60PURGE_DENY = 61# 62# purge entries older than 1 week 63#PURGE_DENY = 1w 64# 65# purge entries older than 5 days 66#PURGE_DENY = 5d 67####################################################################### 68 69####################################################################### 70# 71# PURGE_THRESHOLD: defines the maximum times a host will be purged. 72# Once this value has been exceeded then this host will not be purged. 73# Setting this parameter to 0 (the default) disables this feature. 74# 75# default: a denied host can be purged/re-added indefinitely 76#PURGE_THRESHOLD = 0 77# 78# a denied host will be purged at most 2 times. 79#PURGE_THRESHOLD = 2 80# 81####################################################################### 82 83 84####################################################################### 85# 86# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY 87# 88# man 5 hosts_access for details 89# 90# eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1 91# 92# To block all services for the offending host: 93#BLOCK_SERVICE = ALL 94# To block only sshd: 95BLOCK_SERVICE = sshd 96# To only record the offending host and nothing else (if using 97# an auxilary file to list the hosts). Refer to: 98# http://denyhosts.sourceforge.net/faq.html#aux 99#BLOCK_SERVICE = 100# 101####################################################################### 102 103 104####################################################################### 105# 106# DENY_THRESHOLD_INVALID: block each host after the number of failed login 107# attempts has exceeded this value. This value applies to invalid 108# user login attempts (eg. non-existent user accounts) 109# 110DENY_THRESHOLD_INVALID = 5 111# 112####################################################################### 113 114####################################################################### 115# 116# DENY_THRESHOLD_VALID: block each host after the number of failed 117# login attempts has exceeded this value. This value applies to valid 118# user login attempts (eg. user accounts that exist in /etc/passwd) except 119# for the "root" user 120# 121DENY_THRESHOLD_VALID = 10 122# 123####################################################################### 124 125####################################################################### 126# 127# DENY_THRESHOLD_ROOT: block each host after the number of failed 128# login attempts has exceeded this value. This value applies to 129# "root" user login attempts only. 130# 131DENY_THRESHOLD_ROOT = 1 132# 133####################################################################### 134 135 136####################################################################### 137# 138# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed 139# login attempts has exceeded this value. This value applies to 140# usernames that appear in the WORK_DIR/restricted-usernames file only. 141# 142DENY_THRESHOLD_RESTRICTED = 1 143# 144####################################################################### 145 146 147####################################################################### 148# 149# WORK_DIR: the path that DenyHosts will use for writing data to 150# (it will be created if it does not already exist). 151# 152# Note: it is recommended that you use an absolute pathname 153# for this value (eg. /home/foo/denyhosts/data) 154# 155WORK_DIR = /var/lib/denyhosts 156# 157####################################################################### 158 159####################################################################### 160# 161# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS 162# 163# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO 164# If set to YES, if a suspicious login attempt results from an allowed-host 165# then it is considered suspicious. If this is NO, then suspicious logins 166# from allowed-hosts will not be reported. All suspicious logins from 167# ip addresses that are not in allowed-hosts will always be reported. 168# 169SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES 170###################################################################### 171 172###################################################################### 173# 174# HOSTNAME_LOOKUP 175# 176# HOSTNAME_LOOKUP=YES|NO 177# If set to YES, for each IP address that is reported by Denyhosts, 178# the corresponding hostname will be looked up and reported as well 179# (if available). 180# 181HOSTNAME_LOOKUP=YES 182# 183###################################################################### 184 185 186###################################################################### 187# 188# LOCK_FILE 189# 190# LOCK_FILE=/path/denyhosts 191# If this file exists when DenyHosts is run, then DenyHosts will exit 192# immediately. Otherwise, this file will be created upon invocation 193# and deleted upon exit. This ensures that only one instance is 194# running at a time. 195# 196# Redhat/Fedora: 197#LOCK_FILE = /var/lock/subsys/denyhosts 198# 199# Debian 200LOCK_FILE = /var/run/denyhosts.pid 201# 202# Misc 203#LOCK_FILE = /tmp/denyhosts.lock 204# 205###################################################################### 206 207 208 ############ THESE SETTINGS ARE OPTIONAL ############ 209 210 211####################################################################### 212# 213# ADMIN_EMAIL: if you would like to receive emails regarding newly 214# restricted hosts and suspicious logins, set this address to 215# match your email address. If you do not want to receive these reports 216# leave this field blank (or run with the --noemail option) 217# 218# Multiple email addresses can be delimited by a comma, eg: 219# ADMIN_EMAIL = foo@bar.com, bar@foo.com, etc@foobar.com 220# 221ADMIN_EMAIL = root@localhost 222# 223####################################################################### 224 225####################################################################### 226# 227# SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email 228# reports (see ADMIN_EMAIL) then these settings specify the 229# email server address (SMTP_HOST) and the server port (SMTP_PORT) 230# 231# 232SMTP_HOST = localhost 233SMTP_PORT = 25 234# 235####################################################################### 236 237####################################################################### 238# 239# SMTP_USERNAME and SMTP_PASSWORD: set these parameters if your 240# smtp email server requires authentication 241# 242#SMTP_USERNAME=foo 243#SMTP_PASSWORD=bar 244# 245###################################################################### 246 247####################################################################### 248# 249# SMTP_FROM: you can specify the "From:" address in messages sent 250# from DenyHosts when it reports thwarted abuse attempts 251# 252SMTP_FROM = DenyHosts <nobody@localhost> 253# 254####################################################################### 255 256####################################################################### 257# 258# SMTP_SUBJECT: you can specify the "Subject:" of messages sent 259# by DenyHosts when it reports thwarted abuse attempts 260SMTP_SUBJECT = DenyHosts Report 261# 262###################################################################### 263 264###################################################################### 265# 266# SMTP_DATE_FORMAT: specifies the format used for the "Date:" header 267# when sending email messages. 268# 269# for possible values for this parameter refer to: man strftime 270# 271# the default: 272# 273#SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z 274# 275###################################################################### 276 277###################################################################### 278# 279# SYSLOG_REPORT 280# 281# SYSLOG_REPORT=YES|NO 282# If set to yes, when denied hosts are recorded the report data 283# will be sent to syslog (syslog must be present on your system). 284# The default is: NO 285# 286#SYSLOG_REPORT=NO 287# 288#SYSLOG_REPORT=YES 289# 290###################################################################### 291 292###################################################################### 293# 294# ALLOWED_HOSTS_HOSTNAME_LOOKUP 295# 296# ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO 297# If set to YES, for each entry in the WORK_DIR/allowed-hosts file, 298# the hostname will be looked up. If your versions of tcp_wrappers 299# and sshd sometimes log hostnames in addition to ip addresses 300# then you may wish to specify this option. 301# 302#ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO 303# 304###################################################################### 305 306###################################################################### 307# 308# AGE_RESET_VALID: Specifies the period of time between failed login 309# attempts that, when exceeded will result in the failed count for 310# this host to be reset to 0. This value applies to login attempts 311# to all valid users (those within /etc/passwd) with the 312# exception of root. If not defined, this count will never 313# be reset. 314# 315# See the comments in the PURGE_DENY section (above) 316# for details on specifying this value or for complete details 317# refer to: http://denyhosts.sourceforge.net/faq.html#timespec 318# 319AGE_RESET_VALID=5d 320# 321###################################################################### 322 323###################################################################### 324# 325# AGE_RESET_ROOT: Specifies the period of time between failed login 326# attempts that, when exceeded will result in the failed count for 327# this host to be reset to 0. This value applies to all login 328# attempts to the "root" user account. If not defined, 329# this count will never be reset. 330# 331# See the comments in the PURGE_DENY section (above) 332# for details on specifying this value or for complete details 333# refer to: http://denyhosts.sourceforge.net/faq.html#timespec 334# 335AGE_RESET_ROOT=25d 336# 337###################################################################### 338 339###################################################################### 340# 341# AGE_RESET_RESTRICTED: Specifies the period of time between failed login 342# attempts that, when exceeded will result in the failed count for 343# this host to be reset to 0. This value applies to all login 344# attempts to entries found in the WORK_DIR/restricted-usernames file. 345# If not defined, the count will never be reset. 346# 347# See the comments in the PURGE_DENY section (above) 348# for details on specifying this value or for complete details 349# refer to: http://denyhosts.sourceforge.net/faq.html#timespec 350# 351AGE_RESET_RESTRICTED=25d 352# 353###################################################################### 354 355 356###################################################################### 357# 358# AGE_RESET_INVALID: Specifies the period of time between failed login 359# attempts that, when exceeded will result in the failed count for 360# this host to be reset to 0. This value applies to login attempts 361# made to any invalid username (those that do not appear 362# in /etc/passwd). If not defined, count will never be reset. 363# 364# See the comments in the PURGE_DENY section (above) 365# for details on specifying this value or for complete details 366# refer to: http://denyhosts.sourceforge.net/faq.html#timespec 367# 368AGE_RESET_INVALID=10d 369# 370###################################################################### 371 372 373###################################################################### 374# 375# RESET_ON_SUCCESS: If this parameter is set to "yes" then the 376# failed count for the respective ip address will be reset to 0 377# if the login is successful. 378# 379# The default is RESET_ON_SUCCESS = no 380# 381#RESET_ON_SUCCESS = yes 382# 383##################################################################### 384 385 386###################################################################### 387# 388# PLUGIN_DENY: If set, this value should point to an executable 389# program that will be invoked when a host is added to the 390# HOSTS_DENY file. This executable will be passed the host 391# that will be added as its only argument. 392# 393#PLUGIN_DENY=/usr/bin/true 394# 395###################################################################### 396 397 398###################################################################### 399# 400# PLUGIN_PURGE: If set, this value should point to an executable 401# program that will be invoked when a host is removed from the 402# HOSTS_DENY file. This executable will be passed the host 403# that is to be purged as its only argument. 404# 405#PLUGIN_PURGE=/usr/bin/true 406# 407###################################################################### 408 409###################################################################### 410# 411# USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain 412# a regular expression that can be used to identify additional 413# hackers for your particular ssh configuration. This functionality 414# extends the built-in regular expressions that DenyHosts uses. 415# This parameter can be specified multiple times. 416# See this faq entry for more details: 417# http://denyhosts.sf.net/faq.html#userdef_regex 418# 419#USERDEF_FAILED_ENTRY_REGEX= 420# 421# 422###################################################################### 423 424 425 426 427 ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ########## 428 429 430 431####################################################################### 432# 433# DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag) 434# this is the logfile that DenyHosts uses to report its status. 435# To disable logging, leave blank. (default is: /var/log/denyhosts) 436# 437DAEMON_LOG = /var/log/denyhosts 438# 439# disable logging: 440#DAEMON_LOG = 441# 442###################################################################### 443 444####################################################################### 445# 446# DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode 447# (--daemon flag) this specifies the timestamp format of 448# the DAEMON_LOG messages (default is the ISO8061 format: 449# ie. 2005-07-22 10:38:01,745) 450# 451# for possible values for this parameter refer to: man strftime 452# 453# Jan 1 13:05:59 454#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S 455# 456# Jan 1 01:05:59 457#DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S 458# 459###################################################################### 460 461####################################################################### 462# 463# DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode 464# (--daemon flag) this specifies the message format of each logged 465# entry. By default the following format is used: 466# 467# %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s 468# 469# Where the "%(asctime)s" portion is expanded to the format 470# defined by DAEMON_LOG_TIME_FORMAT 471# 472# This string is passed to python's logging.Formatter contstuctor. 473# For details on the possible format types please refer to: 474# http://docs.python.org/lib/node357.html 475# 476# This is the default: 477#DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s 478# 479# 480###################################################################### 481 482 483####################################################################### 484# 485# DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag) 486# this is the amount of time DenyHosts will sleep between polling 487# the SECURE_LOG. See the comments in the PURGE_DENY section (above) 488# for details on specifying this value or for complete details 489# refer to: http://denyhosts.sourceforge.net/faq.html#timespec 490# 491# 492DAEMON_SLEEP = 30s 493# 494####################################################################### 495 496####################################################################### 497# 498# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode, 499# run the purge mechanism to expire old entries in HOSTS_DENY 500# This has no effect if PURGE_DENY is blank. 501# 502DAEMON_PURGE = 1h 503# 504####################################################################### 505 506 507 ######### THESE SETTINGS ARE SPECIFIC TO ########## 508 ######### DAEMON SYNCHRONIZATION ########## 509 510 511####################################################################### 512# 513# Synchronization mode allows the DenyHosts daemon the ability 514# to periodically send and receive denied host data such that 515# DenyHosts daemons worldwide can automatically inform one 516# another regarding banned hosts. This mode is disabled by 517# default, you must uncomment SYNC_SERVER to enable this mode. 518# 519# for more information, please refer to: 520# http:/denyhosts.sourceforge.net/faq.html#sync 521# 522####################################################################### 523 524 525####################################################################### 526# 527# SYNC_SERVER: The central server that communicates with DenyHost 528# daemons. Currently, denyhosts.net is the only available server 529# however, in the future, it may be possible for organizations to 530# install their own server for internal network synchronization 531# 532# To disable synchronization (the default), do nothing. 533# 534# To enable synchronization, you must uncomment the following line: 535#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911 536# 537####################################################################### 538 539####################################################################### 540# 541# SYNC_INTERVAL: the interval of time to perform synchronizations if 542# SYNC_SERVER has been uncommented. The default is 1 hour. 543# 544#SYNC_INTERVAL = 1h 545# 546####################################################################### 547 548 549####################################################################### 550# 551# SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have 552# been denied? This option only applies if SYNC_SERVER has 553# been uncommented. 554# The default is SYNC_UPLOAD = yes 555# 556#SYNC_UPLOAD = no 557#SYNC_UPLOAD = yes 558# 559####################################################################### 560 561 562####################################################################### 563# 564# SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have 565# been denied by others? This option only applies if SYNC_SERVER has 566# been uncommented. 567# The default is SYNC_DOWNLOAD = yes 568# 569#SYNC_DOWNLOAD = no 570#SYNC_DOWNLOAD = yes 571# 572# 573# 574####################################################################### 575 576####################################################################### 577# 578# SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this parameter 579# filters the returned hosts to those that have been blocked this many 580# times by others. That is, if set to 1, then if a single DenyHosts 581# server has denied an ip address then you will receive the denied host. 582# 583# See also SYNC_DOWNLOAD_RESILIENCY 584# 585#SYNC_DOWNLOAD_THRESHOLD = 10 586# 587# The default is SYNC_DOWNLOAD_THRESHOLD = 3 588# 589#SYNC_DOWNLOAD_THRESHOLD = 3 590# 591####################################################################### 592 593####################################################################### 594# 595# SYNC_DOWNLOAD_RESILIENCY: If SYNC_DOWNLOAD is enabled then the 596# value specified for this option limits the downloaded data 597# to this resiliency period or greater. 598# 599# Resiliency is defined as the timespan between a hackers first known 600# attack and its most recent attack. Example: 601# 602# If the centralized denyhosts.net server records an attack at 2 PM 603# and then again at 5 PM, specifying a SYNC_DOWNLOAD_RESILIENCY = 4h 604# will not download this ip address. 605# 606# However, if the attacker is recorded again at 6:15 PM then the 607# ip address will be downloaded by your DenyHosts instance. 608# 609# This value is used in conjunction with the SYNC_DOWNLOAD_THRESHOLD 610# and only hosts that satisfy both values will be downloaded. 611# This value has no effect if SYNC_DOWNLOAD_THRESHOLD = 1 612# 613# The default is SYNC_DOWNLOAD_RESILIENCY = 5h (5 hours) 614# 615# Only obtain hackers that have been at it for 2 days or more: 616#SYNC_DOWNLOAD_RESILIENCY = 2d 617# 618# Only obtain hackers that have been at it for 5 hours or more: 619#SYNC_DOWNLOAD_RESILIENCY = 5h 620# 621####################################################################### 622