/denyhosts.conf

http://github.com/brinkman83/bashrc · Config · 622 lines · 554 code · 68 blank · 0 comment · 0 complexity · ee380750666cb6961f64922f34be4b20 MD5 · raw file

  1. ############ THESE SETTINGS ARE REQUIRED ############
  2. ########################################################################
  3. #
  4. # SECURE_LOG: the log file that contains sshd logging info
  5. # if you are not sure, grep "sshd:" /var/log/*
  6. #
  7. # The file to process can be overridden with the --file command line
  8. # argument
  9. #
  10. # Redhat or Fedora Core:
  11. #SECURE_LOG = /var/log/secure
  12. #
  13. # Mandrake, FreeBSD or OpenBSD:
  14. #SECURE_LOG = /var/log/auth.log
  15. #
  16. # SuSE:
  17. #SECURE_LOG = /var/log/messages
  18. #
  19. # Mac OS X (v10.4 or greater -
  20. # also refer to: http://www.denyhosts.net/faq.html#macos
  21. #SECURE_LOG = /private/var/log/asl.log
  22. #
  23. # Mac OS X (v10.3 or earlier):
  24. #SECURE_LOG=/private/var/log/system.log
  25. #
  26. # Debian:
  27. SECURE_LOG = /var/log/auth.log
  28. ########################################################################
  29. ########################################################################
  30. #
  31. # HOSTS_DENY: the file which contains restricted host access information
  32. #
  33. # Most operating systems:
  34. HOSTS_DENY = /etc/hosts.deny
  35. #
  36. # Some BSD (FreeBSD) Unixes:
  37. #HOSTS_DENY = /etc/hosts.allow
  38. #
  39. # Another possibility (also see the next option):
  40. #HOSTS_DENY = /etc/hosts.evil
  41. #######################################################################
  42. ########################################################################
  43. #
  44. # PURGE_DENY: removed HOSTS_DENY entries that are older than this time
  45. # when DenyHosts is invoked with the --purge flag
  46. #
  47. # format is: i[dhwmy]
  48. # Where 'i' is an integer (eg. 7)
  49. # 'm' = minutes
  50. # 'h' = hours
  51. # 'd' = days
  52. # 'w' = weeks
  53. # 'y' = years
  54. #
  55. # never purge:
  56. PURGE_DENY =
  57. #
  58. # purge entries older than 1 week
  59. #PURGE_DENY = 1w
  60. #
  61. # purge entries older than 5 days
  62. #PURGE_DENY = 5d
  63. #######################################################################
  64. #######################################################################
  65. #
  66. # PURGE_THRESHOLD: defines the maximum times a host will be purged.
  67. # Once this value has been exceeded then this host will not be purged.
  68. # Setting this parameter to 0 (the default) disables this feature.
  69. #
  70. # default: a denied host can be purged/re-added indefinitely
  71. #PURGE_THRESHOLD = 0
  72. #
  73. # a denied host will be purged at most 2 times.
  74. #PURGE_THRESHOLD = 2
  75. #
  76. #######################################################################
  77. #######################################################################
  78. #
  79. # BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
  80. #
  81. # man 5 hosts_access for details
  82. #
  83. # eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1
  84. #
  85. # To block all services for the offending host:
  86. #BLOCK_SERVICE = ALL
  87. # To block only sshd:
  88. BLOCK_SERVICE = sshd
  89. # To only record the offending host and nothing else (if using
  90. # an auxilary file to list the hosts). Refer to:
  91. # http://denyhosts.sourceforge.net/faq.html#aux
  92. #BLOCK_SERVICE =
  93. #
  94. #######################################################################
  95. #######################################################################
  96. #
  97. # DENY_THRESHOLD_INVALID: block each host after the number of failed login
  98. # attempts has exceeded this value. This value applies to invalid
  99. # user login attempts (eg. non-existent user accounts)
  100. #
  101. DENY_THRESHOLD_INVALID = 5
  102. #
  103. #######################################################################
  104. #######################################################################
  105. #
  106. # DENY_THRESHOLD_VALID: block each host after the number of failed
  107. # login attempts has exceeded this value. This value applies to valid
  108. # user login attempts (eg. user accounts that exist in /etc/passwd) except
  109. # for the "root" user
  110. #
  111. DENY_THRESHOLD_VALID = 10
  112. #
  113. #######################################################################
  114. #######################################################################
  115. #
  116. # DENY_THRESHOLD_ROOT: block each host after the number of failed
  117. # login attempts has exceeded this value. This value applies to
  118. # "root" user login attempts only.
  119. #
  120. DENY_THRESHOLD_ROOT = 1
  121. #
  122. #######################################################################
  123. #######################################################################
  124. #
  125. # DENY_THRESHOLD_RESTRICTED: block each host after the number of failed
  126. # login attempts has exceeded this value. This value applies to
  127. # usernames that appear in the WORK_DIR/restricted-usernames file only.
  128. #
  129. DENY_THRESHOLD_RESTRICTED = 1
  130. #
  131. #######################################################################
  132. #######################################################################
  133. #
  134. # WORK_DIR: the path that DenyHosts will use for writing data to
  135. # (it will be created if it does not already exist).
  136. #
  137. # Note: it is recommended that you use an absolute pathname
  138. # for this value (eg. /home/foo/denyhosts/data)
  139. #
  140. WORK_DIR = /var/lib/denyhosts
  141. #
  142. #######################################################################
  143. #######################################################################
  144. #
  145. # SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS
  146. #
  147. # SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO
  148. # If set to YES, if a suspicious login attempt results from an allowed-host
  149. # then it is considered suspicious. If this is NO, then suspicious logins
  150. # from allowed-hosts will not be reported. All suspicious logins from
  151. # ip addresses that are not in allowed-hosts will always be reported.
  152. #
  153. SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
  154. ######################################################################
  155. ######################################################################
  156. #
  157. # HOSTNAME_LOOKUP
  158. #
  159. # HOSTNAME_LOOKUP=YES|NO
  160. # If set to YES, for each IP address that is reported by Denyhosts,
  161. # the corresponding hostname will be looked up and reported as well
  162. # (if available).
  163. #
  164. HOSTNAME_LOOKUP=YES
  165. #
  166. ######################################################################
  167. ######################################################################
  168. #
  169. # LOCK_FILE
  170. #
  171. # LOCK_FILE=/path/denyhosts
  172. # If this file exists when DenyHosts is run, then DenyHosts will exit
  173. # immediately. Otherwise, this file will be created upon invocation
  174. # and deleted upon exit. This ensures that only one instance is
  175. # running at a time.
  176. #
  177. # Redhat/Fedora:
  178. #LOCK_FILE = /var/lock/subsys/denyhosts
  179. #
  180. # Debian
  181. LOCK_FILE = /var/run/denyhosts.pid
  182. #
  183. # Misc
  184. #LOCK_FILE = /tmp/denyhosts.lock
  185. #
  186. ######################################################################
  187. ############ THESE SETTINGS ARE OPTIONAL ############
  188. #######################################################################
  189. #
  190. # ADMIN_EMAIL: if you would like to receive emails regarding newly
  191. # restricted hosts and suspicious logins, set this address to
  192. # match your email address. If you do not want to receive these reports
  193. # leave this field blank (or run with the --noemail option)
  194. #
  195. # Multiple email addresses can be delimited by a comma, eg:
  196. # ADMIN_EMAIL = foo@bar.com, bar@foo.com, etc@foobar.com
  197. #
  198. ADMIN_EMAIL = root@localhost
  199. #
  200. #######################################################################
  201. #######################################################################
  202. #
  203. # SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email
  204. # reports (see ADMIN_EMAIL) then these settings specify the
  205. # email server address (SMTP_HOST) and the server port (SMTP_PORT)
  206. #
  207. #
  208. SMTP_HOST = localhost
  209. SMTP_PORT = 25
  210. #
  211. #######################################################################
  212. #######################################################################
  213. #
  214. # SMTP_USERNAME and SMTP_PASSWORD: set these parameters if your
  215. # smtp email server requires authentication
  216. #
  217. #SMTP_USERNAME=foo
  218. #SMTP_PASSWORD=bar
  219. #
  220. ######################################################################
  221. #######################################################################
  222. #
  223. # SMTP_FROM: you can specify the "From:" address in messages sent
  224. # from DenyHosts when it reports thwarted abuse attempts
  225. #
  226. SMTP_FROM = DenyHosts <nobody@localhost>
  227. #
  228. #######################################################################
  229. #######################################################################
  230. #
  231. # SMTP_SUBJECT: you can specify the "Subject:" of messages sent
  232. # by DenyHosts when it reports thwarted abuse attempts
  233. SMTP_SUBJECT = DenyHosts Report
  234. #
  235. ######################################################################
  236. ######################################################################
  237. #
  238. # SMTP_DATE_FORMAT: specifies the format used for the "Date:" header
  239. # when sending email messages.
  240. #
  241. # for possible values for this parameter refer to: man strftime
  242. #
  243. # the default:
  244. #
  245. #SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z
  246. #
  247. ######################################################################
  248. ######################################################################
  249. #
  250. # SYSLOG_REPORT
  251. #
  252. # SYSLOG_REPORT=YES|NO
  253. # If set to yes, when denied hosts are recorded the report data
  254. # will be sent to syslog (syslog must be present on your system).
  255. # The default is: NO
  256. #
  257. #SYSLOG_REPORT=NO
  258. #
  259. #SYSLOG_REPORT=YES
  260. #
  261. ######################################################################
  262. ######################################################################
  263. #
  264. # ALLOWED_HOSTS_HOSTNAME_LOOKUP
  265. #
  266. # ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO
  267. # If set to YES, for each entry in the WORK_DIR/allowed-hosts file,
  268. # the hostname will be looked up. If your versions of tcp_wrappers
  269. # and sshd sometimes log hostnames in addition to ip addresses
  270. # then you may wish to specify this option.
  271. #
  272. #ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
  273. #
  274. ######################################################################
  275. ######################################################################
  276. #
  277. # AGE_RESET_VALID: Specifies the period of time between failed login
  278. # attempts that, when exceeded will result in the failed count for
  279. # this host to be reset to 0. This value applies to login attempts
  280. # to all valid users (those within /etc/passwd) with the
  281. # exception of root. If not defined, this count will never
  282. # be reset.
  283. #
  284. # See the comments in the PURGE_DENY section (above)
  285. # for details on specifying this value or for complete details
  286. # refer to: http://denyhosts.sourceforge.net/faq.html#timespec
  287. #
  288. AGE_RESET_VALID=5d
  289. #
  290. ######################################################################
  291. ######################################################################
  292. #
  293. # AGE_RESET_ROOT: Specifies the period of time between failed login
  294. # attempts that, when exceeded will result in the failed count for
  295. # this host to be reset to 0. This value applies to all login
  296. # attempts to the "root" user account. If not defined,
  297. # this count will never be reset.
  298. #
  299. # See the comments in the PURGE_DENY section (above)
  300. # for details on specifying this value or for complete details
  301. # refer to: http://denyhosts.sourceforge.net/faq.html#timespec
  302. #
  303. AGE_RESET_ROOT=25d
  304. #
  305. ######################################################################
  306. ######################################################################
  307. #
  308. # AGE_RESET_RESTRICTED: Specifies the period of time between failed login
  309. # attempts that, when exceeded will result in the failed count for
  310. # this host to be reset to 0. This value applies to all login
  311. # attempts to entries found in the WORK_DIR/restricted-usernames file.
  312. # If not defined, the count will never be reset.
  313. #
  314. # See the comments in the PURGE_DENY section (above)
  315. # for details on specifying this value or for complete details
  316. # refer to: http://denyhosts.sourceforge.net/faq.html#timespec
  317. #
  318. AGE_RESET_RESTRICTED=25d
  319. #
  320. ######################################################################
  321. ######################################################################
  322. #
  323. # AGE_RESET_INVALID: Specifies the period of time between failed login
  324. # attempts that, when exceeded will result in the failed count for
  325. # this host to be reset to 0. This value applies to login attempts
  326. # made to any invalid username (those that do not appear
  327. # in /etc/passwd). If not defined, count will never be reset.
  328. #
  329. # See the comments in the PURGE_DENY section (above)
  330. # for details on specifying this value or for complete details
  331. # refer to: http://denyhosts.sourceforge.net/faq.html#timespec
  332. #
  333. AGE_RESET_INVALID=10d
  334. #
  335. ######################################################################
  336. ######################################################################
  337. #
  338. # RESET_ON_SUCCESS: If this parameter is set to "yes" then the
  339. # failed count for the respective ip address will be reset to 0
  340. # if the login is successful.
  341. #
  342. # The default is RESET_ON_SUCCESS = no
  343. #
  344. #RESET_ON_SUCCESS = yes
  345. #
  346. #####################################################################
  347. ######################################################################
  348. #
  349. # PLUGIN_DENY: If set, this value should point to an executable
  350. # program that will be invoked when a host is added to the
  351. # HOSTS_DENY file. This executable will be passed the host
  352. # that will be added as its only argument.
  353. #
  354. #PLUGIN_DENY=/usr/bin/true
  355. #
  356. ######################################################################
  357. ######################################################################
  358. #
  359. # PLUGIN_PURGE: If set, this value should point to an executable
  360. # program that will be invoked when a host is removed from the
  361. # HOSTS_DENY file. This executable will be passed the host
  362. # that is to be purged as its only argument.
  363. #
  364. #PLUGIN_PURGE=/usr/bin/true
  365. #
  366. ######################################################################
  367. ######################################################################
  368. #
  369. # USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain
  370. # a regular expression that can be used to identify additional
  371. # hackers for your particular ssh configuration. This functionality
  372. # extends the built-in regular expressions that DenyHosts uses.
  373. # This parameter can be specified multiple times.
  374. # See this faq entry for more details:
  375. # http://denyhosts.sf.net/faq.html#userdef_regex
  376. #
  377. #USERDEF_FAILED_ENTRY_REGEX=
  378. #
  379. #
  380. ######################################################################
  381. ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########
  382. #######################################################################
  383. #
  384. # DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag)
  385. # this is the logfile that DenyHosts uses to report its status.
  386. # To disable logging, leave blank. (default is: /var/log/denyhosts)
  387. #
  388. DAEMON_LOG = /var/log/denyhosts
  389. #
  390. # disable logging:
  391. #DAEMON_LOG =
  392. #
  393. ######################################################################
  394. #######################################################################
  395. #
  396. # DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode
  397. # (--daemon flag) this specifies the timestamp format of
  398. # the DAEMON_LOG messages (default is the ISO8061 format:
  399. # ie. 2005-07-22 10:38:01,745)
  400. #
  401. # for possible values for this parameter refer to: man strftime
  402. #
  403. # Jan 1 13:05:59
  404. #DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S
  405. #
  406. # Jan 1 01:05:59
  407. #DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S
  408. #
  409. ######################################################################
  410. #######################################################################
  411. #
  412. # DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode
  413. # (--daemon flag) this specifies the message format of each logged
  414. # entry. By default the following format is used:
  415. #
  416. # %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
  417. #
  418. # Where the "%(asctime)s" portion is expanded to the format
  419. # defined by DAEMON_LOG_TIME_FORMAT
  420. #
  421. # This string is passed to python's logging.Formatter contstuctor.
  422. # For details on the possible format types please refer to:
  423. # http://docs.python.org/lib/node357.html
  424. #
  425. # This is the default:
  426. #DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
  427. #
  428. #
  429. ######################################################################
  430. #######################################################################
  431. #
  432. # DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag)
  433. # this is the amount of time DenyHosts will sleep between polling
  434. # the SECURE_LOG. See the comments in the PURGE_DENY section (above)
  435. # for details on specifying this value or for complete details
  436. # refer to: http://denyhosts.sourceforge.net/faq.html#timespec
  437. #
  438. #
  439. DAEMON_SLEEP = 30s
  440. #
  441. #######################################################################
  442. #######################################################################
  443. #
  444. # DAEMON_PURGE: How often should DenyHosts, when run in daemon mode,
  445. # run the purge mechanism to expire old entries in HOSTS_DENY
  446. # This has no effect if PURGE_DENY is blank.
  447. #
  448. DAEMON_PURGE = 1h
  449. #
  450. #######################################################################
  451. ######### THESE SETTINGS ARE SPECIFIC TO ##########
  452. ######### DAEMON SYNCHRONIZATION ##########
  453. #######################################################################
  454. #
  455. # Synchronization mode allows the DenyHosts daemon the ability
  456. # to periodically send and receive denied host data such that
  457. # DenyHosts daemons worldwide can automatically inform one
  458. # another regarding banned hosts. This mode is disabled by
  459. # default, you must uncomment SYNC_SERVER to enable this mode.
  460. #
  461. # for more information, please refer to:
  462. # http:/denyhosts.sourceforge.net/faq.html#sync
  463. #
  464. #######################################################################
  465. #######################################################################
  466. #
  467. # SYNC_SERVER: The central server that communicates with DenyHost
  468. # daemons. Currently, denyhosts.net is the only available server
  469. # however, in the future, it may be possible for organizations to
  470. # install their own server for internal network synchronization
  471. #
  472. # To disable synchronization (the default), do nothing.
  473. #
  474. # To enable synchronization, you must uncomment the following line:
  475. #SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
  476. #
  477. #######################################################################
  478. #######################################################################
  479. #
  480. # SYNC_INTERVAL: the interval of time to perform synchronizations if
  481. # SYNC_SERVER has been uncommented. The default is 1 hour.
  482. #
  483. #SYNC_INTERVAL = 1h
  484. #
  485. #######################################################################
  486. #######################################################################
  487. #
  488. # SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have
  489. # been denied? This option only applies if SYNC_SERVER has
  490. # been uncommented.
  491. # The default is SYNC_UPLOAD = yes
  492. #
  493. #SYNC_UPLOAD = no
  494. #SYNC_UPLOAD = yes
  495. #
  496. #######################################################################
  497. #######################################################################
  498. #
  499. # SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have
  500. # been denied by others? This option only applies if SYNC_SERVER has
  501. # been uncommented.
  502. # The default is SYNC_DOWNLOAD = yes
  503. #
  504. #SYNC_DOWNLOAD = no
  505. #SYNC_DOWNLOAD = yes
  506. #
  507. #
  508. #
  509. #######################################################################
  510. #######################################################################
  511. #
  512. # SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this parameter
  513. # filters the returned hosts to those that have been blocked this many
  514. # times by others. That is, if set to 1, then if a single DenyHosts
  515. # server has denied an ip address then you will receive the denied host.
  516. #
  517. # See also SYNC_DOWNLOAD_RESILIENCY
  518. #
  519. #SYNC_DOWNLOAD_THRESHOLD = 10
  520. #
  521. # The default is SYNC_DOWNLOAD_THRESHOLD = 3
  522. #
  523. #SYNC_DOWNLOAD_THRESHOLD = 3
  524. #
  525. #######################################################################
  526. #######################################################################
  527. #
  528. # SYNC_DOWNLOAD_RESILIENCY: If SYNC_DOWNLOAD is enabled then the
  529. # value specified for this option limits the downloaded data
  530. # to this resiliency period or greater.
  531. #
  532. # Resiliency is defined as the timespan between a hackers first known
  533. # attack and its most recent attack. Example:
  534. #
  535. # If the centralized denyhosts.net server records an attack at 2 PM
  536. # and then again at 5 PM, specifying a SYNC_DOWNLOAD_RESILIENCY = 4h
  537. # will not download this ip address.
  538. #
  539. # However, if the attacker is recorded again at 6:15 PM then the
  540. # ip address will be downloaded by your DenyHosts instance.
  541. #
  542. # This value is used in conjunction with the SYNC_DOWNLOAD_THRESHOLD
  543. # and only hosts that satisfy both values will be downloaded.
  544. # This value has no effect if SYNC_DOWNLOAD_THRESHOLD = 1
  545. #
  546. # The default is SYNC_DOWNLOAD_RESILIENCY = 5h (5 hours)
  547. #
  548. # Only obtain hackers that have been at it for 2 days or more:
  549. #SYNC_DOWNLOAD_RESILIENCY = 2d
  550. #
  551. # Only obtain hackers that have been at it for 5 hours or more:
  552. #SYNC_DOWNLOAD_RESILIENCY = 5h
  553. #
  554. #######################################################################