autofw.conf - Auto-firewalling daemon configuration
$Id: autofw.conf.pod.in,v 0.1 2011/05/01 08:03:37 acorliss Exp $
/etc/autofw.conf
autofwd is a program which provides automatic firewalling of hosts performing login attacks against various services. The /etc/autofw.conf file contains information which controls the behavior of the daemon. It is designed to be human readable.
Comments are allowed in the file and are flagged as such by the use of a leading octothorpe (#). Indentation of comments by whitespace are supported.
Options are specified by the use of the an option key word (or words), a colon delimiter, and the value. Values can span multiple lines with no special notation other than subsequent lines being indented further than the first character of the option key word.
Certain options support specifying an array of values. Such arrays are separated by commas. If an array element itself needs to include a comma you can enclose the element in quotation marks (""). Quotation marks can also be included within by escaping the internal mark (\"). If you need to include a literal backslash you would need to escape that as well (\\). The need for escapes applies only to quoted values. Unquoted values need no special handling.
Some values may require a token (typically: __IP__) which is used to mark the placement of an IP address to be inserted by the program.
An example of the syntax follows:
# Start Configuration # # Option Foo Foo: bar
# Array option Bar: one, two, three, "four/\"4\"", five
# Token option Shell Command: /usr/sbin/log_ip __IP__
# End Configuration
The following options are supported within the configuration file:
PID File: /var/run/autofwd.pid
This option allows you to specify the path and filename of the file to be used to store the daemon process number.
The default is /var/run/autofwd.pid. Optional.
Files: /var/log/auth.log, /var/log/misc.log,
/var/log/foo/*.log
This option allows you to specify one or more files to monitor for new events. Shell-style globs are supported.
There is no default. Mandatory.
Ban Period: 2d
This option allows you to designate how long a host should be firewalled off after triggering enough events. Values can be specified as a plain integer denoting number of seconds, while shorthand notations are supported for longer periods:
s seconds m minutes h hours d days w weeks
The default ban period is seven days. Optional.
Triggers: "sshd\\[\\d+\\]: failed (?:password|none)"
This option allows you to specify one or more regular expressions (supporting perl & POSIX notations) which will identify trackable events. All regular expressions should trigger on lines which include an IP address.
There is no default. Mandatory.
Ban IPv4 Cmd: /sbin/iptables -I INPUT -s __IP__ -j DROP
Ban IPv6 Cmd: /sbin/ip6tables -I INPUT -s __IP__ -j DROP
These options allow you to specify the shell command which will perform the actual banning of offending IPs. Hence, the need for the __IP__ token in the command.
There is no default. Mandatory.
Unban IPv4 Cmd: /sbin/iptables -D INPUT -s __IP__ -j DROP
Unban IPv6 Cmd: /sbin/ip6tables -D INPUT -s __IP__ -j DROP
These options allow you to specify the shell command which will perform the removal of any IPs banned from the system. Hence, the need for the __IP__ token in the command.
There is no default. Mandatory.
List IPv4 Cmd: /sbin/iptables -L INPUT -n
List IPv6 Cmd: /sbin/ip6tables -L INPUT -n
These options allow you to specify the command which lists the current banned IPs. This output is used by the following options to verify if the current IP address is already banned. The purpose of these options is to avoid adding redundant firewall rules. If this is omitted it is always possible that Ban IPv? Cmd will be called multiple times, creating redundant firewall rules.
There is no default. Optional.
Look For IPv4: ^DROP\s+all\s+(?:\S+\s+)?__IP__\b
Look For IPv6: ^DROP\s+all\s+(?:\S+\s+)?__IP__\b
This option allows you to specify a regular expression which, if matched, verifies that an IP exists within the firewall. This expression is run against the output of the List IPv? Cmd commands.
There is no default. Optional.
Never Ban: 127.0.0.1, ::1/128, 192.168.0.0/24,
10.0.0.0/255.248.0.0
This option allows you to specify specific IPs or networks that should never be banned regardless of how many events are triggered. Events by addresses in this list are still tracked and reported, but they will never trigger a call to the Ban IPv? Cmd commands. IPv4 and IPv6 addresses are supported, in both CIDR and dotted octet notations.
Threshold: 20
This option allows you to set the number of events required before a host is banned.
The default is 20. Optional.
Mail Server: localhost
This option allows you to designate a SMTP server to use for the mail alerts.
The default is localhost. Optional.
Admin E-mail: root@foo.com
This option allows you to set the e-mail account alerts are mail to.
The default is root@localhost. Optional.
Daemon E-mail: autofwd@foo.com
This option allows you to set the e-mail account alerts are sent from.
The default is autofwd@localhost. Optional.
E-mail Subject: ALERT!!! Failed Login Attempts!
This option allows you to set the subject line of mail alerts.
The default is '[SECURITY ALERT] IP firewalled'. Optional.
E-mail Notifications: 1
This option allows you to enable or disable e-mail alerts. It should be 1 for on, 0 for off.
The default is 0. Optional.
autofwd(8)
Arthur Corliss (corliss@digitalmages.com)
This software is licensed under the same terms as Perl, itself. Please see http://dev.perl.org/licenses/ for more information.
(c) 2009, Arthur Corliss (corliss@digitalmages.com)
Copyright © 1997 - 2016, Arthur Corliss, all rights reserved.