# Sample configuration file for the sshutout daemon.
# The (commented out) values shown below are
# the defaults if not specifically overridden
# in the configuration file or on the 
# command line.

# The polling interval is given in seconds and determine how often
# the ssh log is examined. Range 30 - 300

polling_interval = 60

# The delay penalty is given in seconds and specifies how long the
# firewall rule should remain effective. Range 60 - 86400

delay_penalty = 86400

# The threshold value gives how many failed login attempts will trigger a
# block at the firewall. Value >= 3

threshold = 3

# The following parameter gives the name of the file that is scanned for
# ssh login attempts. Typical values are:
#
#     /var/log/messages  (default)
#     /var/log/secure
#     /var/log/auth.log
#
# Consult your Linux distribution for the correct setting.

sshd_log_file = /var/log/messages

# The next parameter gives the name of the file where attacker
# IP addresses are logged.

sshutout_log_file = /var/log/sshutout.log

# This parameter gives the name of the ssh daemon that we are
# monitoring. Openssh names its daemon, "sshd", while
# ssh.com's daemon is named, "sshd2" 
# Legal values are restricted to sshd or sshd2

ssh_daemon = sshd

# The sshutout daemon process' PID is stored in this file.

pid_file = /var/run/sshutout.pid

# The whitelist value is specified as a comma separated list of IPv4
# addresses (dotted quad or host name) which will be ignored by
# the daemon, i.e. they are never firewalled by the daemon.
# During normal operation, the default route, name servers, and
# addresses of all active interfaces are automatically part
# of this whitelist, so they don't need to be specified here. 
# Example: whitelist = 12.13.14.15, 120.20.101.30, slashdot.org 

#whitelist = 
whitelist = {{ hyperlinux }}, hpecore.net

# Enabled by default, this parameter automatically whitelists 
# the default gateway and name servers.
# Valid values (case insensitive):
#	y, n, yes, no, 1, 0, t, f, true, false, on, off

auto_whitelist = yes

# Should we firewall portscans seen by ssh daemon, 
# i.e. those hosts whose probes leave those 
# "Did not receive identification string from..." messages? (default no)
# Valid values (case insensitive):
#	y, n, yes, no, 1, 0, t, f, true, false, on, off

squelch_portscan = yes

# Should we monitor and count "Illegal user" or "Invalid user" attempts
# as well as failed logins? Valid values (case insensitive):
#	y, n, yes, no, 1, 0, t, f, true, false, on, off

illegal_user = yes