PageRenderTime 152ms CodeModel.GetById 143ms app.highlight 5ms RepoModel.GetById 1ms app.codeStats 0ms

/denyhosts.conf

http://github.com/brinkman83/bashrc
Config | 622 lines | 554 code | 68 blank | 0 comment | 0 complexity | ee380750666cb6961f64922f34be4b20 MD5 | raw file
  1       ############ THESE SETTINGS ARE REQUIRED ############
  2
  3########################################################################
  4#
  5# SECURE_LOG: the log file that contains sshd logging info
  6# if you are not sure, grep "sshd:" /var/log/*
  7#
  8# The file to process can be overridden with the --file command line
  9# argument
 10#
 11# Redhat or Fedora Core:
 12#SECURE_LOG = /var/log/secure
 13#
 14# Mandrake, FreeBSD or OpenBSD: 
 15#SECURE_LOG = /var/log/auth.log
 16#
 17# SuSE:
 18#SECURE_LOG = /var/log/messages
 19#
 20# Mac OS X (v10.4 or greater - 
 21#   also refer to:   http://www.denyhosts.net/faq.html#macos
 22#SECURE_LOG = /private/var/log/asl.log
 23#
 24# Mac OS X (v10.3 or earlier):
 25#SECURE_LOG=/private/var/log/system.log
 26#
 27# Debian:
 28SECURE_LOG = /var/log/auth.log
 29########################################################################
 30
 31########################################################################
 32#
 33# HOSTS_DENY: the file which contains restricted host access information
 34#
 35# Most operating systems:
 36HOSTS_DENY = /etc/hosts.deny
 37#
 38# Some BSD (FreeBSD) Unixes:
 39#HOSTS_DENY = /etc/hosts.allow
 40#
 41# Another possibility (also see the next option):
 42#HOSTS_DENY = /etc/hosts.evil
 43#######################################################################
 44
 45
 46########################################################################
 47#
 48# PURGE_DENY: removed HOSTS_DENY entries that are older than this time
 49#             when DenyHosts is invoked with the --purge flag
 50#
 51#      format is: i[dhwmy]
 52#      Where 'i' is an integer (eg. 7) 
 53#            'm' = minutes
 54#            'h' = hours
 55#            'd' = days
 56#            'w' = weeks
 57#            'y' = years
 58#
 59# never purge:
 60PURGE_DENY = 
 61#
 62# purge entries older than 1 week
 63#PURGE_DENY = 1w
 64#
 65# purge entries older than 5 days
 66#PURGE_DENY = 5d
 67#######################################################################
 68
 69#######################################################################
 70#
 71# PURGE_THRESHOLD: defines the maximum times a host will be purged.  
 72# Once this value has been exceeded then this host will not be purged. 
 73# Setting this parameter to 0 (the default) disables this feature.
 74#
 75# default: a denied host can be purged/re-added indefinitely
 76#PURGE_THRESHOLD = 0
 77#
 78# a denied host will be purged at most 2 times. 
 79#PURGE_THRESHOLD = 2 
 80#
 81#######################################################################
 82
 83
 84#######################################################################
 85#
 86# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
 87# 
 88# man 5 hosts_access for details
 89#
 90# eg.   sshd: 127.0.0.1  # will block sshd logins from 127.0.0.1
 91#
 92# To block all services for the offending host:
 93#BLOCK_SERVICE = ALL
 94# To block only sshd:
 95BLOCK_SERVICE  = sshd
 96# To only record the offending host and nothing else (if using
 97# an auxilary file to list the hosts).  Refer to: 
 98# http://denyhosts.sourceforge.net/faq.html#aux
 99#BLOCK_SERVICE =    
100#
101#######################################################################
102
103
104#######################################################################
105#
106# DENY_THRESHOLD_INVALID: block each host after the number of failed login 
107# attempts has exceeded this value.  This value applies to invalid
108# user login attempts (eg. non-existent user accounts)
109#
110DENY_THRESHOLD_INVALID = 5
111#
112#######################################################################
113
114#######################################################################
115#
116# DENY_THRESHOLD_VALID: block each host after the number of failed 
117# login attempts has exceeded this value.  This value applies to valid
118# user login attempts (eg. user accounts that exist in /etc/passwd) except
119# for the "root" user
120#
121DENY_THRESHOLD_VALID = 10
122#
123#######################################################################
124
125#######################################################################
126#
127# DENY_THRESHOLD_ROOT: block each host after the number of failed 
128# login attempts has exceeded this value.  This value applies to 
129# "root" user login attempts only.
130#
131DENY_THRESHOLD_ROOT = 1
132#
133#######################################################################
134
135
136#######################################################################
137#
138# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed 
139# login attempts has exceeded this value.  This value applies to 
140# usernames that appear in the WORK_DIR/restricted-usernames file only.
141#
142DENY_THRESHOLD_RESTRICTED = 1
143#
144#######################################################################
145
146
147#######################################################################
148#
149# WORK_DIR: the path that DenyHosts will use for writing data to
150# (it will be created if it does not already exist).  
151#
152# Note: it is recommended that you use an absolute pathname
153# for this value (eg. /home/foo/denyhosts/data)
154#
155WORK_DIR = /var/lib/denyhosts
156#
157#######################################################################
158
159#######################################################################
160#
161# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS
162#
163# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO
164# If set to YES, if a suspicious login attempt results from an allowed-host
165# then it is considered suspicious.  If this is NO, then suspicious logins 
166# from allowed-hosts will not be reported.  All suspicious logins from 
167# ip addresses that are not in allowed-hosts will always be reported.
168#
169SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
170######################################################################
171
172######################################################################
173#
174# HOSTNAME_LOOKUP
175#
176# HOSTNAME_LOOKUP=YES|NO
177# If set to YES, for each IP address that is reported by Denyhosts,
178# the corresponding hostname will be looked up and reported as well
179# (if available).
180#
181HOSTNAME_LOOKUP=YES
182#
183######################################################################
184
185
186######################################################################
187#
188# LOCK_FILE
189#
190# LOCK_FILE=/path/denyhosts
191# If this file exists when DenyHosts is run, then DenyHosts will exit
192# immediately.  Otherwise, this file will be created upon invocation
193# and deleted upon exit.  This ensures that only one instance is
194# running at a time.
195#
196# Redhat/Fedora:
197#LOCK_FILE = /var/lock/subsys/denyhosts
198#
199# Debian
200LOCK_FILE = /var/run/denyhosts.pid
201#
202# Misc
203#LOCK_FILE = /tmp/denyhosts.lock
204#
205######################################################################
206
207
208       ############ THESE SETTINGS ARE OPTIONAL ############
209
210
211#######################################################################
212#
213# ADMIN_EMAIL: if you would like to receive emails regarding newly
214# restricted hosts and suspicious logins, set this address to 
215# match your email address.  If you do not want to receive these reports
216# leave this field blank (or run with the --noemail option)
217#
218# Multiple email addresses can be delimited by a comma, eg:
219# ADMIN_EMAIL = foo@bar.com, bar@foo.com, etc@foobar.com
220#
221ADMIN_EMAIL = root@localhost
222#
223#######################################################################
224
225#######################################################################
226#
227# SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email 
228# reports (see ADMIN_EMAIL) then these settings specify the 
229# email server address (SMTP_HOST) and the server port (SMTP_PORT)
230# 
231#
232SMTP_HOST = localhost
233SMTP_PORT = 25
234#
235#######################################################################
236
237#######################################################################
238# 
239# SMTP_USERNAME and SMTP_PASSWORD: set these parameters if your 
240# smtp email server requires authentication
241#
242#SMTP_USERNAME=foo
243#SMTP_PASSWORD=bar
244#
245######################################################################
246
247#######################################################################
248#
249# SMTP_FROM: you can specify the "From:" address in messages sent
250# from DenyHosts when it reports thwarted abuse attempts
251#
252SMTP_FROM = DenyHosts <nobody@localhost>
253#
254#######################################################################
255
256#######################################################################
257#
258# SMTP_SUBJECT: you can specify the "Subject:" of messages sent
259# by DenyHosts when it reports thwarted abuse attempts
260SMTP_SUBJECT = DenyHosts Report
261#
262######################################################################
263
264######################################################################
265#
266# SMTP_DATE_FORMAT: specifies the format used for the "Date:" header
267# when sending email messages.
268#
269# for possible values for this parameter refer to: man strftime
270#
271# the default:
272#
273#SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z
274#
275######################################################################
276
277######################################################################
278#
279# SYSLOG_REPORT
280#
281# SYSLOG_REPORT=YES|NO
282# If set to yes, when denied hosts are recorded the report data
283# will be sent to syslog (syslog must be present on your system).
284# The default is: NO
285#
286#SYSLOG_REPORT=NO
287#
288#SYSLOG_REPORT=YES
289#
290######################################################################
291
292######################################################################
293#
294# ALLOWED_HOSTS_HOSTNAME_LOOKUP
295#
296# ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO
297# If set to YES, for each entry in the WORK_DIR/allowed-hosts file,
298# the hostname will be looked up.  If your versions of tcp_wrappers
299# and sshd sometimes log hostnames in addition to ip addresses
300# then you may wish to specify this option.
301# 
302#ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
303#
304######################################################################
305
306###################################################################### 
307# 
308# AGE_RESET_VALID: Specifies the period of time between failed login
309# attempts that, when exceeded will result in the failed count for 
310# this host to be reset to 0.  This value applies to login attempts 
311# to all valid users (those within /etc/passwd) with the 
312# exception of root.  If not defined, this count will never
313# be reset.
314#
315# See the comments in the PURGE_DENY section (above) 
316# for details on specifying this value or for complete details 
317# refer to:  http://denyhosts.sourceforge.net/faq.html#timespec
318#
319AGE_RESET_VALID=5d
320#
321######################################################################
322
323###################################################################### 
324# 
325# AGE_RESET_ROOT: Specifies the period of time between failed login
326# attempts that, when exceeded will result in the failed count for 
327# this host to be reset to 0.  This value applies to all login 
328# attempts to the "root" user account.  If not defined,
329# this count will never be reset.
330#
331# See the comments in the PURGE_DENY section (above) 
332# for details on specifying this value or for complete details 
333# refer to:  http://denyhosts.sourceforge.net/faq.html#timespec
334#
335AGE_RESET_ROOT=25d
336#
337######################################################################
338
339###################################################################### 
340# 
341# AGE_RESET_RESTRICTED: Specifies the period of time between failed login
342# attempts that, when exceeded will result in the failed count for 
343# this host to be reset to 0.  This value applies to all login 
344# attempts to entries found in the WORK_DIR/restricted-usernames file.  
345# If not defined, the count will never be reset.
346#
347# See the comments in the PURGE_DENY section (above) 
348# for details on specifying this value or for complete details 
349# refer to:  http://denyhosts.sourceforge.net/faq.html#timespec
350#
351AGE_RESET_RESTRICTED=25d
352#
353######################################################################
354
355
356###################################################################### 
357# 
358# AGE_RESET_INVALID: Specifies the period of time between failed login
359# attempts that, when exceeded will result in the failed count for 
360# this host to be reset to 0.  This value applies to login attempts 
361# made to any invalid username (those that do not appear 
362# in /etc/passwd).  If not defined, count will never be reset.
363#
364# See the comments in the PURGE_DENY section (above) 
365# for details on specifying this value or for complete details 
366# refer to:  http://denyhosts.sourceforge.net/faq.html#timespec
367#
368AGE_RESET_INVALID=10d
369#
370######################################################################
371
372
373######################################################################
374#
375# RESET_ON_SUCCESS: If this parameter is set to "yes" then the
376# failed count for the respective ip address will be reset to 0
377# if the login is successful.  
378#
379# The default is RESET_ON_SUCCESS = no
380#
381#RESET_ON_SUCCESS = yes
382#
383#####################################################################
384
385
386######################################################################
387#
388# PLUGIN_DENY: If set, this value should point to an executable
389# program that will be invoked when a host is added to the
390# HOSTS_DENY file.  This executable will be passed the host
391# that will be added as its only argument.
392#
393#PLUGIN_DENY=/usr/bin/true
394#
395######################################################################
396
397
398######################################################################
399#
400# PLUGIN_PURGE: If set, this value should point to an executable
401# program that will be invoked when a host is removed from the
402# HOSTS_DENY file.  This executable will be passed the host
403# that is to be purged as its only argument.
404#
405#PLUGIN_PURGE=/usr/bin/true
406#
407######################################################################
408
409######################################################################
410#
411# USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain
412# a regular expression that can be used to identify additional
413# hackers for your particular ssh configuration.  This functionality
414# extends the built-in regular expressions that DenyHosts uses.
415# This parameter can be specified multiple times.
416# See this faq entry for more details:
417#    http://denyhosts.sf.net/faq.html#userdef_regex
418#
419#USERDEF_FAILED_ENTRY_REGEX=
420#
421#
422######################################################################
423
424
425
426
427   ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE  ##########
428
429
430
431#######################################################################
432#
433# DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag)
434# this is the logfile that DenyHosts uses to report its status.
435# To disable logging, leave blank.  (default is: /var/log/denyhosts)
436#
437DAEMON_LOG = /var/log/denyhosts
438#
439# disable logging:
440#DAEMON_LOG = 
441#
442######################################################################
443
444#######################################################################
445# 
446# DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode 
447# (--daemon flag) this specifies the timestamp format of 
448# the DAEMON_LOG messages (default is the ISO8061 format:
449# ie. 2005-07-22 10:38:01,745)
450#
451# for possible values for this parameter refer to: man strftime
452#
453# Jan 1 13:05:59   
454#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S
455#
456# Jan 1 01:05:59 
457#DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S
458#
459###################################################################### 
460
461#######################################################################
462# 
463# DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode 
464# (--daemon flag) this specifies the message format of each logged
465# entry.  By default the following format is used:
466#
467# %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
468#
469# Where the "%(asctime)s" portion is expanded to the format
470# defined by DAEMON_LOG_TIME_FORMAT
471#
472# This string is passed to python's logging.Formatter contstuctor.
473# For details on the possible format types please refer to:
474# http://docs.python.org/lib/node357.html
475#
476# This is the default:
477#DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
478#
479#
480###################################################################### 
481
482 
483#######################################################################
484#
485# DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag)
486# this is the amount of time DenyHosts will sleep between polling
487# the SECURE_LOG.  See the comments in the PURGE_DENY section (above)
488# for details on specifying this value or for complete details
489# refer to:    http://denyhosts.sourceforge.net/faq.html#timespec
490# 
491#
492DAEMON_SLEEP = 30s
493#
494#######################################################################
495
496#######################################################################
497#
498# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode,
499# run the purge mechanism to expire old entries in HOSTS_DENY
500# This has no effect if PURGE_DENY is blank.
501#
502DAEMON_PURGE = 1h
503#
504#######################################################################
505
506
507   #########   THESE SETTINGS ARE SPECIFIC TO     ##########
508   #########       DAEMON SYNCHRONIZATION         ##########
509
510
511#######################################################################
512#
513# Synchronization mode allows the DenyHosts daemon the ability
514# to periodically send and receive denied host data such that 
515# DenyHosts daemons worldwide can automatically inform one
516# another regarding banned hosts.   This mode is disabled by
517# default, you must uncomment SYNC_SERVER to enable this mode.
518#
519# for more information, please refer to: 
520#        http:/denyhosts.sourceforge.net/faq.html#sync 
521#
522#######################################################################
523
524
525#######################################################################
526#
527# SYNC_SERVER: The central server that communicates with DenyHost
528# daemons.  Currently, denyhosts.net is the only available server
529# however, in the future, it may be possible for organizations to
530# install their own server for internal network synchronization
531#
532# To disable synchronization (the default), do nothing. 
533#
534# To enable synchronization, you must uncomment the following line:
535#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
536#
537#######################################################################
538
539#######################################################################
540#
541# SYNC_INTERVAL: the interval of time to perform synchronizations if
542# SYNC_SERVER has been uncommented.  The default is 1 hour.
543# 
544#SYNC_INTERVAL = 1h
545#
546#######################################################################
547
548
549#######################################################################
550#
551# SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have
552# been denied?  This option only applies if SYNC_SERVER has
553# been uncommented.
554# The default is SYNC_UPLOAD = yes
555#
556#SYNC_UPLOAD = no
557#SYNC_UPLOAD = yes
558#
559#######################################################################
560
561
562#######################################################################
563#
564# SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have
565# been denied by others?  This option only applies if SYNC_SERVER has
566# been uncommented.
567# The default is SYNC_DOWNLOAD = yes
568#
569#SYNC_DOWNLOAD = no
570#SYNC_DOWNLOAD = yes
571#
572#
573#
574#######################################################################
575
576#######################################################################
577#
578# SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this parameter
579# filters the returned hosts to those that have been blocked this many
580# times by others.  That is, if set to 1, then if a single DenyHosts
581# server has denied an ip address then you will receive the denied host.
582# 
583# See also SYNC_DOWNLOAD_RESILIENCY
584#
585#SYNC_DOWNLOAD_THRESHOLD = 10
586#
587# The default is SYNC_DOWNLOAD_THRESHOLD = 3 
588#
589#SYNC_DOWNLOAD_THRESHOLD = 3
590#
591#######################################################################
592
593#######################################################################
594#
595# SYNC_DOWNLOAD_RESILIENCY:  If SYNC_DOWNLOAD is enabled then the
596# value specified for this option limits the downloaded data
597# to this resiliency period or greater.
598#
599# Resiliency is defined as the timespan between a hackers first known 
600# attack and its most recent attack.  Example:
601# 
602# If the centralized   denyhosts.net server records an attack at 2 PM 
603# and then again at 5 PM, specifying a SYNC_DOWNLOAD_RESILIENCY = 4h 
604# will not download this ip address.
605#
606# However, if the attacker is recorded again at 6:15 PM then the 
607# ip address will be downloaded by your DenyHosts instance.  
608#
609# This value is used in conjunction with the SYNC_DOWNLOAD_THRESHOLD 
610# and only hosts that satisfy both values will be downloaded.  
611# This value has no effect if SYNC_DOWNLOAD_THRESHOLD = 1 
612#
613# The default is SYNC_DOWNLOAD_RESILIENCY = 5h (5 hours)
614#
615# Only obtain hackers that have been at it for 2 days or more:
616#SYNC_DOWNLOAD_RESILIENCY = 2d
617#
618# Only obtain hackers that have been at it for 5 hours or more:
619#SYNC_DOWNLOAD_RESILIENCY = 5h
620#
621#######################################################################
622