| 1 | # Sample configuration file for the sshutout daemon.
|
|---|
| 2 | # The (commented out) values shown below are
|
|---|
| 3 | # the defaults if not specifically overridden
|
|---|
| 4 | # in the configuration file or on the
|
|---|
| 5 | # command line.
|
|---|
| 6 |
|
|---|
| 7 | # The polling interval is given in seconds and determine how often
|
|---|
| 8 | # the ssh log is examined. Range 30 - 300
|
|---|
| 9 |
|
|---|
| 10 | polling_interval = 60
|
|---|
| 11 |
|
|---|
| 12 | # The delay penalty is given in seconds and specifies how long the
|
|---|
| 13 | # firewall rule should remain effective. Range 60 - 86400
|
|---|
| 14 |
|
|---|
| 15 | delay_penalty = 86400
|
|---|
| 16 |
|
|---|
| 17 | # The threshold value gives how many failed login attempts will trigger a
|
|---|
| 18 | # block at the firewall. Value >= 3
|
|---|
| 19 |
|
|---|
| 20 | threshold = 3
|
|---|
| 21 |
|
|---|
| 22 | # The following parameter gives the name of the file that is scanned for
|
|---|
| 23 | # ssh login attempts. Typical values are:
|
|---|
| 24 | #
|
|---|
| 25 | # /var/log/messages (default)
|
|---|
| 26 | # /var/log/secure
|
|---|
| 27 | # /var/log/auth.log
|
|---|
| 28 | #
|
|---|
| 29 | # Consult your Linux distribution for the correct setting.
|
|---|
| 30 |
|
|---|
| 31 | sshd_log_file = /var/log/messages
|
|---|
| 32 |
|
|---|
| 33 | # The next parameter gives the name of the file where attacker
|
|---|
| 34 | # IP addresses are logged.
|
|---|
| 35 |
|
|---|
| 36 | sshutout_log_file = /var/log/sshutout.log
|
|---|
| 37 |
|
|---|
| 38 | # This parameter gives the name of the ssh daemon that we are
|
|---|
| 39 | # monitoring. Openssh names its daemon, "sshd", while
|
|---|
| 40 | # ssh.com's daemon is named, "sshd2"
|
|---|
| 41 | # Legal values are restricted to sshd or sshd2
|
|---|
| 42 |
|
|---|
| 43 | ssh_daemon = sshd
|
|---|
| 44 |
|
|---|
| 45 | # The sshutout daemon process' PID is stored in this file.
|
|---|
| 46 |
|
|---|
| 47 | pid_file = /var/run/sshutout.pid
|
|---|
| 48 |
|
|---|
| 49 | # The whitelist value is specified as a comma separated list of IPv4
|
|---|
| 50 | # addresses (dotted quad or host name) which will be ignored by
|
|---|
| 51 | # the daemon, i.e. they are never firewalled by the daemon.
|
|---|
| 52 | # During normal operation, the default route, name servers, and
|
|---|
| 53 | # addresses of all active interfaces are automatically part
|
|---|
| 54 | # of this whitelist, so they don't need to be specified here.
|
|---|
| 55 | # Example: whitelist = 12.13.14.15, 120.20.101.30, slashdot.org
|
|---|
| 56 |
|
|---|
| 57 | #whitelist =
|
|---|
| 58 | whitelist = {{ hyperlinux }}
|
|---|
| 59 |
|
|---|
| 60 | # Enabled by default, this parameter automatically whitelists
|
|---|
| 61 | # the default gateway and name servers.
|
|---|
| 62 | # Valid values (case insensitive):
|
|---|
| 63 | # y, n, yes, no, 1, 0, t, f, true, false, on, off
|
|---|
| 64 |
|
|---|
| 65 | auto_whitelist = yes
|
|---|
| 66 |
|
|---|
| 67 | # Should we firewall portscans seen by ssh daemon,
|
|---|
| 68 | # i.e. those hosts whose probes leave those
|
|---|
| 69 | # "Did not receive identification string from..." messages? (default no)
|
|---|
| 70 | # Valid values (case insensitive):
|
|---|
| 71 | # y, n, yes, no, 1, 0, t, f, true, false, on, off
|
|---|
| 72 |
|
|---|
| 73 | squelch_portscan = yes
|
|---|
| 74 |
|
|---|
| 75 | # Should we monitor and count "Illegal user" or "Invalid user" attempts
|
|---|
| 76 | # as well as failed logins? Valid values (case insensitive):
|
|---|
| 77 | # y, n, yes, no, 1, 0, t, f, true, false, on, off
|
|---|
| 78 |
|
|---|
| 79 | illegal_user = yes
|
|---|
