Allegato "denyhosts.cfg"
Scarica 1 ############ THESE SETTINGS ARE REQUIRED ############
2
3 ########################################################################
4 #
5 # SECURE_LOG: the log file that contains sshd logging info
6 # if you are not sure, grep "sshd:" /var/log/*
7 #
8 # The file to process can be overridden with the --file command line
9 # argument
10 #
11 # Debian or Ubuntu:
12 SECURE_LOG = /var/log/auth.log
13 #
14 # Redhat or Fedora Core:
15 #SECURE_LOG = /var/log/secure
16 #
17 # Mandrake, FreeBSD or OpenBSD:
18 #SECURE_LOG = /var/log/auth.log
19 #
20 # SuSE:
21 #SECURE_LOG = /var/log/messages
22 #
23 ########################################################################
24
25 ########################################################################
26 # HOSTS_DENY: the file which contains restricted host access information
27 #
28 # Most operating systems:
29 HOSTS_DENY = /etc/hosts.deny
30 #
31 # Some BSD (FreeBSD) Unixes:
32 #HOSTS_DENY = /etc/hosts.allow
33 #
34 # Another possibility (also see the next option):
35 #HOSTS_DENY = /etc/hosts.evil
36 #######################################################################
37
38
39 ########################################################################
40 # PURGE_DENY: removed HOSTS_DENY entries that are older than this time
41 # when DenyHosts is invoked with the --purge flag
42 #
43 # format is: i[dhwmy]
44 # Where 'i' is an integer (eg. 7)
45 # 'm' = minutes
46 # 'h' = hours
47 # 'd' = days
48 # 'w' = weeks
49 # 'y' = years
50 #
51 # never purge:
52 #PURGE_DENY =
53 #
54 # purge entries older than 1 day
55 PURGE_DENY = 1d
56 #
57 # purge entries older than 5 days
58 #PURGE_DENY = 5d
59 #######################################################################
60
61
62 #######################################################################
63 # BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
64 #
65 # man 5 hosts_access for details
66 #
67 # eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1
68 #
69 # To block all services for the offending host:
70 #BLOCK_SERVICE = ALL
71 # To block only sshd:
72 BLOCK_SERVICE = sshd
73 # To only record the offending host and nothing else (if using
74 # an auxilary file to list the hosts). Refer to:
75 # http://denyhosts.sourceforge.net/faq.html#aux
76 #BLOCK_SERVICE =
77 #
78 #######################################################################
79
80
81 #######################################################################
82 #
83 # DENY_THRESHOLD_INVALID: block each host after the number of failed login
84 # attempts has exceeded this value. This value applies to invalid
85 # user login attempts (eg. non-existent user accounts)
86 #
87 DENY_THRESHOLD_INVALID = 5
88 #
89 #######################################################################
90
91 #######################################################################
92 #
93 # DENY_THRESHOLD_VALID: block each host after the number of failed
94 # login attempts has exceeded this value. This value applies to valid
95 # user login attempts (eg. user accounts that exist in /etc/passwd) except
96 # for the "root" user
97 #
98 DENY_THRESHOLD_VALID = 10
99 #
100 #######################################################################
101
102 #######################################################################
103 #
104 # DENY_THRESHOLD_ROOT: block each host after the number of failed
105 # login attempts has exceeded this value. This value applies to
106 # "root" user login attempts only.
107 #
108 DENY_THRESHOLD_ROOT = 3
109 #
110 #######################################################################
111
112
113 #######################################################################
114 #
115 # WORK_DIR: the path that DenyHosts will use for writing data to
116 # (it will be created if it does not already exist).
117 #
118 # Note: it is recommended that you use an absolute pathname
119 # for this value (eg. /home/foo/denyhosts/data)
120 #
121 WORK_DIR = /usr/share/denyhosts/data
122 #
123 #######################################################################
124
125 #######################################################################
126 #
127 # SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS
128 #
129 # SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO
130 # If set to YES, if a suspicious login attempt results from an allowed-host
131 # then it is considered suspicious. If this is NO, then suspicious logins
132 # from allowed-hosts will not be reported. All suspicious logins from
133 # ip addresses that are not in allowed-hosts will always be reported.
134 #
135 SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
136 ######################################################################
137
138 ######################################################################
139 #
140 # HOSTNAME_LOOKUP
141 #
142 # HOSTNAME_LOOKUP=YES|NO
143 # If set to YES, for each IP address that is reported by Denyhosts,
144 # the corresponding hostname will be looked up and reported as well
145 # (if available).
146 #
147 HOSTNAME_LOOKUP=YES
148 #
149 ######################################################################
150
151
152 ######################################################################
153 #
154 # LOCK_FILE
155 #
156 # LOCK_FILE=/path/denyhosts
157 # If this file exists when DenyHosts is run, then DenyHosts will exit
158 # immediately. Otherwise, this file will be created upon invocation
159 # and deleted upon exit. This ensures that only one instance is
160 # running at a time.
161 #
162 # Redhat/Fedora:
163 #LOCK_FILE = /var/lock/subsys/denyhosts
164 #
165 # Debian
166 LOCK_FILE = /var/run/denyhosts.pid
167 #
168 # Misc
169 #LOCK_FILE = /tmp/denyhosts.lock
170 #
171 ######################################################################
172
173
174 ############ THESE SETTINGS ARE OPTIONAL ############
175
176
177 #######################################################################
178 #
179 # ADMIN_EMAIL: if you would like to receive emails regarding newly
180 # restricted hosts and suspicious logins, set this address to
181 # match your email address. If you do not want to receive these reports
182 # leave this field blank (or run with the --noemail option)
183 #
184 ADMIN_EMAIL =
185 #
186 #######################################################################
187
188 #######################################################################
189 #
190 SMTP_HOST =
191 SMTP_PORT = 25
192 SMTP_FROM =
193 SMTP_SUBJECT = DenyHosts
194 #se necessari levare il # da davanti
195 #SMTP_USERNAME=
196 #SMTP_PASSWORD=
197 #
198 #######################################################################
199
200 ######################################################################
201 #
202 # ALLOWED_HOSTS_HOSTNAME_LOOKUP
203 #
204 # ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO
205 # If set to YES, for each entry in the WORK_DIR/allowed-hosts file,
206 # the hostname will be looked up. If your versions of tcp_wrappers
207 # and sshd sometimes log hostnames in addition to ip addresses
208 # then you may wish to specify this option.
209 #
210 #ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
211 #
212 ######################################################################
213
214 ######################################################################
215 #
216 # AGE_RESET_VALID: Specifies the period of time between failed login
217 # attempts that, when exceeded will result in the failed count for
218 # this host to be reset to 0. This value applies to login attempts
219 # to all valid users (those within /etc/passwd) with the
220 # exception of root. If not defined, this count will never
221 # be reset.
222 #
223 # See the comments in the PURGE_DENY section (above)
224 # for details on specifying this value or for complete details
225 # refer to: http://denyhosts.sourceforge.net/faq.html#timespec
226 #
227 AGE_RESET_VALID=5d
228 #
229 ######################################################################
230
231 ######################################################################
232 #
233 # AGE_RESET_ROOT: Specifies the period of time between failed login
234 # attempts that, when exceeded will result in the failed count for
235 # this host to be reset to 0. This value applies to all login
236 # attempts to the "root" user account. If not defined,
237 # this count will never be reset.
238 #
239 # See the comments in the PURGE_DENY section (above)
240 # for details on specifying this value or for complete details
241 # refer to: http://denyhosts.sourceforge.net/faq.html#timespec
242 #
243 AGE_RESET_ROOT=25d
244 #
245 ######################################################################
246
247 ######################################################################
248 #
249 # AGE_RESET_INVALID: Specifies the period of time between failed login
250 # attempts that, when exceeded will result in the failed count for
251 # this host to be reset to 0. This value applies to login attempts
252 # made to any invalid username (those that do not appear
253 # in /etc/passwd). If not defined, count will never be reset.
254 #
255 # See the comments in the PURGE_DENY section (above)
256 # for details on specifying this value or for complete details
257 # refer to: http://denyhosts.sourceforge.net/faq.html#timespec
258 #
259 AGE_RESET_INVALID=10d
260 #
261 ######################################################################
262
263 ######################################################################
264 #
265 # PLUGIN_DENY: If set, this value should point to an executable
266 # program that will be invoked when a host is added to the
267 # HOSTS_DENY file. This executable will be passed the host
268 # that will be added as it's only argument.
269 #
270 #PLUGIN_DENY=/usr/bin/true
271 #
272 ######################################################################
273
274
275 ######################################################################
276 #
277 # PLUGIN_PURGE: If set, this value should point to an executable
278 # program that will be invoked when a host is removed from the
279 # HOSTS_DENY file. This executable will be passed the host
280 # that is to be purged as it's only argument.
281 #
282 #PLUGIN_PURGE=/usr/bin/true
283 #
284 ######################################################################
285
286 ######################################################################
287 #
288 # USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain
289 # a regular expression that can be used to identify additional
290 # hackers for your particular ssh configuration. This functionality
291 # extends the built-in regular expressions that DenyHosts uses.
292 # This parameter can be specified multiple times.
293 # See this faq entry for more details:
294 # http://denyhosts.sf.net/faq.html#userdef_regex
295 #
296 #USERDEF_FAILED_ENTRY_REGEX=
297 #
298 #
299 ######################################################################
300
301
302
303
304 ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########
305
306
307
308 #######################################################################
309 #
310 # DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag)
311 # this is the logfile that DenyHosts uses to report it's status.
312 # To disable logging, leave blank. (default is: /var/log/denyhosts)
313 #
314 DAEMON_LOG = /var/log/denyhosts
315 #
316 # disable logging:
317 #DAEMON_LOG =
318 #
319 ######################################################################
320
321 #######################################################################
322 #
323 # DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode
324 # (--daemon flag) this specifies the timestamp format of
325 # the DAEMON_LOG messages (default is the ISO8061 format:
326 # ie. 2005-07-22 10:38:01,745)
327 #
328 # for possible values for this parameter refer to: man strftime
329 #
330 # Jan 1 13:05:59
331 #DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S
332 #
333 # Jan 1 01:05:59
334 #DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S
335 #
336 ######################################################################
337
338 #######################################################################
339 #
340 # DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode
341 # (--daemon flag) this specifies the message format of each logged
342 # entry. By default the following format is used:
343 #
344 # %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
345 #
346 # Where the "%(asctime)s" portion is expanded to the format
347 # defined by DAEMON_LOG_TIME_FORMAT
348 #
349 # This string is passed to python's logging.Formatter contstuctor.
350 # For details on the possible format types please refer to:
351 # http://docs.python.org/lib/node357.html
352 #
353 # This is the default:
354 #DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
355 #
356 #
357 ######################################################################
358
359
360 #######################################################################
361 #
362 # DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag)
363 # this is the amount of time DenyHosts will sleep between polling
364 # the SECURE_LOG. See the comments in the PURGE_DENY section (above)
365 # for details on specifying this value or for complete details
366 # refer to: http://denyhosts.sourceforge.net/faq.html#timespec
367 #
368 #
369 DAEMON_SLEEP = 30s
370 #
371 #######################################################################
372
373 #######################################################################
374 #
375 # DAEMON_PURGE: How often should DenyHosts, when run in daemon mode,
376 # run the purge mechanism to expire old entries in HOSTS_DENY
377 # This has no effect if PURGE_DENY is blank.
378 #
379 DAEMON_PURGE = 1h
380 #
381 #######################################################################
382
383
384 ######### THESE SETTINGS ARE SPECIFIC TO ##########
385 ######### DAEMON SYNCHRONIZATION ##########
386
387
388 #######################################################################
389 #
390 # Synchronization mode allows the DenyHosts daemon the ability
391 # to periodically send and receive denied host data such that
392 # DenyHosts daemons worldwide can automatically inform one
393 # another regarding banned hosts. This mode is disabled by
394 # default, you must uncomment SYNC_SERVER to enable this mode.
395 #
396 # for more information, please refer to:
397 # http:/denyhosts.sourceforge.net/faq.html#sync
398 #
399 #######################################################################
400
401
402 #######################################################################
403 #
404 # SYNC_SERVER: The central server that communicates with DenyHost
405 # daemons. Currently, denyhosts.net is the only available server
406 # however, in the future, it may be possible for organizations to
407 # install their own server for internal network synchronization
408 #
409 # To disable synchronization (the default), do nothing.
410 #
411 # To enable synchronization, you must uncomment the following line:
412 #SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
413 #
414 #######################################################################
415
416 #######################################################################
417 #
418 # SYNC_INTERVAL: the interval of time to perform synchronizations if
419 # SYNC_SERVER has been uncommented. The default is 1 hour.
420 #
421 #SYNC_INTERVAL = 1h
422 #
423 #######################################################################
424
425
426 #######################################################################
427 #
428 # SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have
429 # been denied? This option only applies if SYNC_SERVER has
430 # been uncommented.
431 #
432 #SYNC_UPLOAD = no
433 #
434 # the default:
435 #SYNC_UPLOAD = yes
436 #
437 #######################################################################
438
439
440 #######################################################################
441 #
442 # SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have
443 # been denied by others? This option only applies if SYNC_SERVER has
444 # been uncommented.
445 #
446 #SYNC_DOWNLOAD = no
447 #
448 # the default:
449 #SYNC_DOWNLOAD = yes
450 #
451 #######################################################################
452
453 #######################################################################
454 #
455 # SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this paramter
456 # filters the returned hosts to those that have been blocked this many
457 # times by others. That is, if set to 1, then if a single DenyHosts
458 # server has denied an ip address then you will receive the denied host.
459 #
460 #SYNC_DOWNLOAD_THRESHOLD = 10
461 #
462 # the default:
463 #SYNC_DOWNLOAD_THRESHOLD = 3
464 #
465 #######################################################################