Login Failure Blocking

Login Failure Blocking Triggers

Trigger - LF_TRIGGER
Login failure trigger blocking is application specific. If you set LF_TRIGGER to 0 the value of each trigger is the number of failures against that application that will trigger the login failure daemon to block the IP address. If you set LF_TRIGGER to a value greater than 0 then the application triggers are simply on or off (0 or 1) and the value of LF_TRIGGER is the total cumulative number of failures that will trigger the login failure daemon to block the IP address. Set the application trigger to 0 disable it.
Default: 0 Range: 0-100

Trigger Block time - LF_TRIGGER_PERM
If LF_TRIGGER is greater than 0 then LF_TRIGGER_PERM can be set to 1 to permanently block the IP address, or LF_TRIGGER_PERM can be set to a value greater than 1 and the IP address will be blocked temporarily for that value in seconds.
Default: 1 Range: 0-604800

SSHD trigger - LF_SSHD
Enable login failure detection of sshd connections.
Default: 5 Range: 0-100

SSHD trigger block time - LF_SSHD_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800

FTPD trigger - LF_FTPD
Enable login failure detection of FTP connections.
Default: 10 Range: 0-100

FTPD trigger block time - LF_FTPD_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800

SMTPAUTH trigger - LF_SMTPAUTH
Enable login failure detection of SMTP AUTH connections.
Default: 5 Range: 0-100

SMTPAUTH trigger block time - LF_SMTPAUTH_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800

POP3D trigger - LF_POP3D
Enable login failure detection of POP3 connections.
Default: 10 Range: 0-100

POP3D trigger block time - LF_POP3D_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800

IMAPD trigger - LF_IMAPD
Enable login failure detection of IMAP connections.
Default: 10 Range: 0-100

IMAPD trigger block time - LF_IMAPD_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800

Htaccess trigger - LF_HTACCESS
Enable login failure detection of Apache .htpasswd connections.
Default: 5 Range: 0-100

Htaccess trigger block time - LF_HTACCESS_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800

ModSecurity trigger - LF_MODSEC
Enable failure detection of repeated Apache ModSecurity rule triggers.
Default: 5 Range: 0-100

ModSecurity trigger block time - LF_MODSEC_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800

Mod_qos trigger - LF_QOS
Enable detection of repeated Apache mod_qos rule triggers.
Default: 0 Range: 0-100

Mod_qos trigger block time - LF_QOS_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800

Suhosin trigger - LF_SUHOSIN
Enable detection of repeated Suhosin alerts.
Default: 0 Range: 0-100

Suhosin trigger block time - LF_SUHOSIN_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800

BIND trigger - LF_BIND
Enable detection of repeated BIND denied requests. This option should be enabled with care as it will prevent blocked IPs from resolving any domains on the server. You might want to set the trigger value reasonably high to avoid this. Example: 100
Default: 0 Range: 0|60-1000

BIND trigger block time - LF_BIND_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800

Apache 404 trigger - LF_APACHE_404
Track of the number of File does not exist 404 errors in the HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL seconds then the IP address will be blocked. To disable this option set to 0. Important: You must set LogLevel core:info in your Apache config in order for Apache to log 404 errors to the error log.
Default: 0 Range: 0|60-1000

Apache 404 trigger block time - LF_APACHE_404_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 3600 Range: 0-604800

Apache 403 trigger - LF_APACHE_403
Track of the number of client denied by server configuration 403 errors in the HTACCESS_LOG. If the number of hits is more than LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked. To disable this option set to 0.
Default: 0 Range: 0|60-1000

Apache 403 trigger block time - LF_APACHE_403_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 3600 Range: 0-604800

Apache 401 trigger - LF_APACHE_401
Track of the number of HTTP Error 401 Unauthorized errors in the HTACCESS_LOG. If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then the IP address will be blocked. To disable this option set to 0.
Default: 0 Range: 0|60-1000

Apache 401 trigger block time - LF_APACHE_401_PERM Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 3600 Range: 0-604800

Login Failure Blocking

Block access to failed app only - LF_SELECT
Only block access to the failed application instead of a blocking the IP address completely. LF_TRIGGER must be set to 0 with application trigger levels also set appropriately.
Default: 0 Range: 0-1

System exploit check interval - LF_EXPLOIT
Perform a series of tests to send an alert in case a possible server compromise is detected. To enable this option set the following to the checking interval in seconds. To disable this option set to 0.
Default: 300 Range: 0|6-86400

System exploit checks to ignore - LF_EXPLOIT_IGNORE
List of system exploit checks that LF_EXPLOIT will ignore (comma separated).
Default: empty

Failure tracking interval - LF_INTERVAL
The time interval in seconds to track login and other LF_ failures within.
Default: 3600 Range: 60-86400

Parse log file interval - LF_PARSE
The number of seconds that the login failure daemon process sleeps before processing the log file entries and checking whether other events need to be triggered.
Default: 5 Range: 5-20

Flush reports interval - LF_FLUSH
The interval in seconds that is used to flush reports of usernames, files, and pids. This helps persistent problems to be reported properly.
Default: 3600 Range: 3600-86400

Repeat block interval - LF_REPEATBLOCK
The number of times to deny an already blocked IP address. To disable this option set to 0
Default: 0 Range: 0-5

Block inbound traffic only - LF_BLOCKINONLY
Enable the blocking of inbound traffic only for blocked IP addresses (not recommended).
Default: 0 Range: 0-1