-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathauth.conf
More file actions
73 lines (55 loc) · 2.42 KB
/
auth.conf
File metadata and controls
73 lines (55 loc) · 2.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# Config file for blacklist.pl
#
# This file should be writeable by ROOT ONLY!
#
# Make changes to this file WITH CAUTION -- NO ERROR CHECKING IS DONE by the script !
#
[iptables]
# Set "del_rule" to the complete command line instruction for REMOVING
# attackers from the blacklist with the following change:
# - Substitute the literal string 'ipaddress' in the location where you want the attacker's IP address to be.
del_rule: /sbin/iptables -D BLACKLIST -s ipaddress -j DROP
# Set "add_rule" to the complete command line instruction for ADDING
# attackers to the blacklist with the following change:
# - Substitute the literal string 'ipaddress' in the location where you want the attacker's IP address to be.
add_rule: /sbin/iptables -I BLACKLIST 1 -s ipaddress -j DROP
[log]
# The INPUT log file you want to monitor
logfile: /var/log/auth.log
# Regular Expression of reasons to get firewalled. Separate with pipe (|).
# This VARIES BASED ON THE VERSION OF SOFTWARE YOU ARE RUNNING
# Look at your logs and adjust as necessary.
# Most ssh daemons will list "Failed Password" even if it is
# an illegal user. If you put both Illegal and Failed here
# you might get double hits.
reasons: (Invalid user|authentication failure)
# Prefix for the regular expression that matches the attacker's IP address
ip_prefix:
# Maximum number of address listings before we hibernate. (This is an anti-DoS measure that will likely never fire.)
dosbail: 200
# Maximum time (sec) before they are removed from the database unless they are already blacklisted
ageout_sec: 600
# Maximum number of booboos before they get listed
maxhits: 2
# Time delay (sec) to check the database for cleanup
cleanup: 300
# Time delay (sec) before they are released from the blacklist.
# Multiply by the number of seconds in 24 hours ( 60 x 60 x 24 = 86400 sec)
release_sec: 86400
[main]
# Daemonize sshblack to background
daemonize: 1
# Set the level of verbosity.
# 1 = more periodic detail printed.
# 0 = only important stuff will be printed.
verbose: 1
# The log file for OUTPUT from the script
output_log: /var/log/blacklist/auth.log
# The text database file to keep track of attackers
cache: /var/tmp/blacklist-pending-auth
# E-mail administrator (default of "root") on critical actions
email_notify: 0
# Where the advisory E-mail is to be sent: you@domain.tld
email_to: root
# Regular Expression for whitelisted IPs - never blacklist these addresses
whitelist: ^(?:127\.0\.0\.1|192\.168\.0)