Configure application specific trigger level blocking and alerts for use by the login failure daemon.
juggernaut --task=lfd:loginfailureblockingOption |
Value | Default | Description |
|---|---|---|---|
--LF_TRIGGER |
<0-100> | 0 | Login failure trigger blocking is application specific. If you set LF_TRIGGER to 0 the value of each trigger is the number of failures against that application that will trigger the login failure daemon to block the IP address. If you set LF_TRIGGER to a value greater than 0 then the application triggers are simply on or off (0 or 1) and the value of LF_TRIGGER is the total cumulative number of failures that will trigger the login failure daemon to block the IP address. Set the application trigger to 0 disable it. |
--LF_TRIGGER_PERM |
<0-604800> | 1 | If LF_TRIGGER is greater than 0 then LF_TRIGGER_PERM can be set to 1 to permanently block the IP address, or LF_TRIGGER_PERM can be set to a value greater than 1 and the IP address will be blocked temporarily for that value in seconds. |
--LF_SSHD |
<0-100> | 5 | Enable login failure detection of sshd connections. |
--LF_SSHD_PERM |
<0-604800> | 1 | Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for). |
--LF_FTPD |
<0-100> | 10 | Enable login failure detection of FTP connections. |
--LF_FTPD_PERM |
<0-604800> | 1 | Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for). |
--LF_SMTPAUTH |
<0-100> | 5 | Enable login failure detection of SMTP AUTH connections. |
--LF_SMTPAUTH_PERM |
<0-604800> | 1 | Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for). |
--LF_POP3D |
<0-100> | 10 | Enable login failure detection of POP3 connections. |
--LF_POP3D_PERM |
<0-604800> | 1 | Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for). |
--LF_IMAPD |
<0-100> | 10 | Enable login failure detection of IMAP connections. |
--LF_IMAPD_PERM |
<0-604800> | 1 | Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for). |
--LF_HTACCESS |
<0-100> | 5 | Enable login failure detection of Apache .htpasswd connections. |
--LF_HTACCESS_PERM |
<0-604800> | 1 | Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for). |
--LF_MODSEC |
<0-100> | 20 | Enable failure detection of repeated Apache ModSecurity rule triggers. |
--LF_MODSEC_PERM |
<0-604800> | 1 | Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for). |
--LF_SUHOSIN |
<0-100> | 0 | Enable detection of repeated Suhosin alerts. |
--LF_SUHOSIN_PERM |
<0-604800> | 1 | Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for). |
--LF_QOS |
<0-100> | 0 | Enable detection of repeated Apache mod_qos rule triggers. |
--LF_QOS_PERM |
<0-604800> | 1 | Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for). |
--LF_BIND |
<0|60-1000> | 0 | Enable detection of repeated BIND denied requests. This option should be enabled with care as it will prevent blocked IPs from resolving any domains on the server. You might want to set the trigger value reasonably high to avoid this. Example: 100 |
--LF_BIND_PERM |
<0-604800> | 1 | Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for). |
--LF_APACHE_404 |
<0|60-1000> | 0 | Track of the number of File does not exist 404 errors in the HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL seconds then the IP address will be blocked. To disable this option set to 0. Important: You must set LogLevel core:info in your Apache config in order for Apache to log 404 errors to the error log. |
--LF_APACHE_404_PERM |
<0-604800> | 3600 | Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for). |
--LF_APACHE_403 |
<0|60-1000> | 0 | Track of the number of client denied by server configuration 403 errors in the HTACCESS_LOG. If the number of hits is more than LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked. To disable this option set to 0. |
--LF_APACHE_403_PERM |
<0-604800> | 3600 | Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for). |
--LF_APACHE_401 |
<0|60-1000> | 0 | Track of the number of HTTP Error 401 Unauthorized errors in the HTACCESS_LOG. If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then the IP address will be blocked. To disable this option set to 0. |
--LF_APACHE_401_PERM |
<0-604800> | 3600 | Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for). |
--LF_SELECT |
<1|0> | 0 | Only block access to the failed application instead of a blocking the IP address completely. LF_TRIGGER must be set to 0 with application trigger levels also set appropriately. |
--LF_EXPLOIT |
300 | Perform a series of tests to send an alert in case a possible server compromise is detected. To enable this option set the following to the checking interval in seconds. To disable this option set to 0. | |
--LF_EXPLOIT_IGNORE |
<string1,string2> | List of system exploit checks that LF_EXPLOIT will ignore (comma separated). | |
--LF_INTERVAL |
3600 | The time interval in seconds to track login and other LF_ failures within. | |
--LF_PARSE |
<5-20> | 5 | The number of seconds that the login failure daemon process sleeps before processing the log file entries and checking whether other events need to be triggered. |
--LF_FLUSH |
3600 | The interval in seconds that is used to flush reports of usernames, files, and pids. This helps persistent problems to be reported properly. | |
--LF_REPEATBLOCK |
<0-5> | 0 | The number of times to deny an already blocked IP address. To disable this option set to 0. |
--LF_BLOCKINONLY |
<1|0> | 0 | Enable the blocking of inbound traffic only for blocked IP addresses (not recommended). |
--LF_APACHE_ERRPORT |
<0-2> | 0 | Determine if the Apache error_log format contains the client port after the client IP. Apache v2.4 ErrorLogFormat places the port number after a colon next to the client IP by default. This makes determining client IPv6 addresses difficult unless we know whether the port is being appended or not. LFD will attempt to autodetect the correct value if this option is set to autodetect. |
--LF_MODSECIPDB_ALERT |
<string> | 0 | Send an alert if the ModSecurity IP persistent storage grows excessively large. LF_MODSECIPDB_FILE must be set to the correct location of the database file. The check is performed at lfd startup and then once per hour. |
--LF_MODSECIPDB_FILE |
<string> | /var/cache/modsecurity/apache-ip.pag | The location of the modsecurity persistent IP storage file on the server. |
--default |
<yes> | Reset all settings to their default values. | |
--default_option |
<option> | Reset a specific setting to its default value. | |
--restart |
<yes> | Restart the service after saving settings. |
// set LF_IMAPD
juggernaut --task=lfd:loginfailureblocking --LF_IMAPD=5 --restart=yes
// reset LF_IMAPD back to default
juggernaut --task=lfd:loginfailureblocking --default_option=LF_IMAPD --restart=yes
// reset all settings back to default
juggernaut --task=lfd:loginfailureblocking --default=yes --restart=yes