1 | # Sample configuration file for the sshutout daemon.
|
---|
2 | # The (commented out) values shown below are
|
---|
3 | # the defaults if not specifically overridden
|
---|
4 | # in the configuration file or on the
|
---|
5 | # command line.
|
---|
6 |
|
---|
7 | # The polling interval is given in seconds and determine how often
|
---|
8 | # the ssh log is examined. Range 30 - 300
|
---|
9 |
|
---|
10 | polling_interval = 60
|
---|
11 |
|
---|
12 | # The delay penalty is given in seconds and specifies how long the
|
---|
13 | # firewall rule should remain effective. Range 60 - 86400
|
---|
14 |
|
---|
15 | delay_penalty = 86400
|
---|
16 |
|
---|
17 | # The threshold value gives how many failed login attempts will trigger a
|
---|
18 | # block at the firewall. Value >= 3
|
---|
19 |
|
---|
20 | threshold = 3
|
---|
21 |
|
---|
22 | # The following parameter gives the name of the file that is scanned for
|
---|
23 | # ssh login attempts. Typical values are:
|
---|
24 | #
|
---|
25 | # /var/log/messages (default)
|
---|
26 | # /var/log/secure
|
---|
27 | # /var/log/auth.log
|
---|
28 | #
|
---|
29 | # Consult your Linux distribution for the correct setting.
|
---|
30 |
|
---|
31 | sshd_log_file = /var/log/messages
|
---|
32 |
|
---|
33 | # The next parameter gives the name of the file where attacker
|
---|
34 | # IP addresses are logged.
|
---|
35 |
|
---|
36 | sshutout_log_file = /var/log/sshutout.log
|
---|
37 |
|
---|
38 | # This parameter gives the name of the ssh daemon that we are
|
---|
39 | # monitoring. Openssh names its daemon, "sshd", while
|
---|
40 | # ssh.com's daemon is named, "sshd2"
|
---|
41 | # Legal values are restricted to sshd or sshd2
|
---|
42 |
|
---|
43 | ssh_daemon = sshd
|
---|
44 |
|
---|
45 | # The sshutout daemon process' PID is stored in this file.
|
---|
46 |
|
---|
47 | pid_file = /var/run/sshutout.pid
|
---|
48 |
|
---|
49 | # The whitelist value is specified as a comma separated list of IPv4
|
---|
50 | # addresses (dotted quad or host name) which will be ignored by
|
---|
51 | # the daemon, i.e. they are never firewalled by the daemon.
|
---|
52 | # During normal operation, the default route, name servers, and
|
---|
53 | # addresses of all active interfaces are automatically part
|
---|
54 | # of this whitelist, so they don't need to be specified here.
|
---|
55 | # Example: whitelist = 12.13.14.15, 120.20.101.30, slashdot.org
|
---|
56 |
|
---|
57 | #whitelist =
|
---|
58 | whitelist = {{ hyperlinux }}
|
---|
59 |
|
---|
60 | # Enabled by default, this parameter automatically whitelists
|
---|
61 | # the default gateway and name servers.
|
---|
62 | # Valid values (case insensitive):
|
---|
63 | # y, n, yes, no, 1, 0, t, f, true, false, on, off
|
---|
64 |
|
---|
65 | auto_whitelist = yes
|
---|
66 |
|
---|
67 | # Should we firewall portscans seen by ssh daemon,
|
---|
68 | # i.e. those hosts whose probes leave those
|
---|
69 | # "Did not receive identification string from..." messages? (default no)
|
---|
70 | # Valid values (case insensitive):
|
---|
71 | # y, n, yes, no, 1, 0, t, f, true, false, on, off
|
---|
72 |
|
---|
73 | squelch_portscan = yes
|
---|
74 |
|
---|
75 | # Should we monitor and count "Illegal user" or "Invalid user" attempts
|
---|
76 | # as well as failed logins? Valid values (case insensitive):
|
---|
77 | # y, n, yes, no, 1, 0, t, f, true, false, on, off
|
---|
78 |
|
---|
79 | illegal_user = yes
|
---|