Login Failure Blocking

Login Failure Blocking Triggers

Trigger - LF_TRIGGER
Login failure trigger blocking is application specific. If you set LF_TRIGGER to 0 the value of each trigger is the number of failures against that application that will trigger the login failure daemon to block the IP address. If you set LF_TRIGGER to a value greater than 0 then the application triggers are simply on or off (0 or 1) and the value of LF_TRIGGER is the total cumulative number of failures that will trigger the login failure daemon to block the IP address. Set the application trigger to 0 disable it.
Default: 0 Range: 0-100

Trigger Block time - LF_TRIGGER_PERM
If LF_TRIGGER is greater than 0 then LF_TRIGGER_PERM can be set to 1 to permanently block the IP address, or LF_TRIGGER_PERM can be set to a value greater than 1 and the IP address will be blocked temporarily for that value in seconds.
Default: 1 Range: 0-604800

SSHD trigger - LF_SSHD
Enable login failure detection of sshd connections.
Default: 5 Range: 0-100

SSHD trigger block time - LF_SSHD_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800

FTPD trigger - LF_FTPD
Enable login failure detection of FTP connections.
Default: 10 Range: 0-100

FTPD trigger block time - LF_FTPD_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800

SMTPAUTH trigger - LF_SMTPAUTH
Enable login failure detection of SMTP AUTH connections.
Default: 5 Range: 0-100

SMTPAUTH trigger block time - LF_SMTPAUTH_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800

POP3D trigger - LF_POP3D
Enable login failure detection of POP3 connections.
Default: 10 Range: 0-100

POP3D trigger block time - LF_POP3D_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800

IMAPD trigger - LF_IMAPD
Enable login failure detection of IMAP connections.
Default: 10 Range: 0-100

IMAPD trigger block time - LF_IMAPD_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800

Htaccess trigger - LF_HTACCESS
Enable login failure detection of Apache .htpasswd connections.
Default: 5 Range: 0-100

Htaccess trigger block time - LF_HTACCESS_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800

ModSecurity trigger - LF_MODSEC
Enable failure detection of repeated Apache ModSecurity rule triggers.
Default: 5 Range: 0-100

ModSecurity trigger block time - LF_MODSEC_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800

Mod_qos trigger - LF_QOS
Enable detection of repeated Apache mod_qos rule triggers.
Default: 0 Range: 0-100

Mod_qos trigger block time - LF_QOS_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800

Suhosin trigger - LF_SUHOSIN
Enable detection of repeated Suhosin alerts.
Default: 0 Range: 0-100

Suhosin trigger block time - LF_SUHOSIN_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800

BIND trigger - LF_BIND
Enable detection of repeated BIND denied requests.
Default: 0 Range: 0|60-1000

BIND trigger block time - LF_BIND_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800

Apache 404 trigger - LF_APACHE_404
Track of the number of File does not exist 404 errors in the HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL seconds then the IP address will be blocked. To disable this option set to 0.
Default: 0 Range: 0|60-1000

Apache 404 trigger block time - LF_APACHE_404_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 3600 Range: 0-604800

Apache 403 trigger - LF_APACHE_403
Track of the number of client denied by server configuration 403 errors in the HTACCESS_LOG. If the number of hits is more than LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked. To disable this option set to 0.
Default: 0 Range: 0|60-1000

Apache 403 trigger block time - LF_APACHE_403_PERM Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 3600 Range: 0-604800

Apache 401 trigger - LF_APACHE_401
Track of the number of HTTP Error 401 Unauthorized errors in the HTACCESS_LOG. If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then the IP address will be blocked. To disable this option set to 0.
Default: 0 Range: 0|60-1000

Apache 401 trigger block time - LF_APACHE_401_PERM Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 3600 Range: 0-604800

Login Failure Blocking

Block access to failed app only - LF_SELECT
Only block access to the failed application instead of a blocking the IP address completely. LF_TRIGGER must be set to 0 with application trigger levels also set appropriately.
Default: 0 Range: 0-1

System exploit check interval - LF_EXPLOIT
Perform a series of tests to send an alert in case a possible server compromise is detected. To enable this option set the following to the checking interval in seconds. To disable this option set to 0.
Default: 300 Range: 0|6-86400

System exploit checks to ignore - LF_EXPLOIT_IGNORE
List of system exploit checks that LF_EXPLOIT will ignore (comma separated).
Default: empty

Failure tracking interval - LF_INTERVAL
The time interval in seconds to track login and other LF_ failures within.
Default: 3600 Range: 60-86400

Parse log file interval - LF_PARSE
The number of seconds that the login failure daemon process sleeps before processing the log file entries and checking whether other events need to be triggered.
Default: 5 Range: 5-20

Flush reports interval - LF_FLUSH
The interval in seconds that is used to flush reports of usernames, files, and pids. This helps persistent problems to be reported properly.
Default: 3600 Range: 3600-86400

Repeat block interval - LF_REPEATBLOCK
The number of times to deny an already blocked IP address. To disable this option set to 0
Default: 0 Range: 0-5

Block inbound traffic only - LF_BLOCKINONLY
Enable the blocking of inbound traffic only for blocked IP addresses (not recommended).
Default: 0 Range: 0-1

Related Pages