Reporting and Alerts

Reporting Settings

To: field for all alert emails - LF_ALERT_TO
This option will override the configured To: field in all login failure daemon alert emails. Leave this option empty to use the To: field setting in each alert template.
Default: empty

From: field for all alert emails - LF_ALERT_FROM
This option will override the configured From: field in all lfd alert emails. Leave this option empty to use the From: field setting in each alert template.
Default: empty

Relaying SMTP server - LF_ALERT_SMTP
Normally the login failure daemon will send all alerts using the default MTA binary. To send using SMTP directly, you can set the following to a relaying SMTP server, e.g. 127.0.0.1. Leave this setting blank to use the default MTA.
Default: empty

Block reporting script - BLOCK_REPORT
The login failure daemon can run an external script when it performs an IP address block. This option is the full path of the external script which must be executable.
Default: empty

Unblock reporting script - UNBLOCK_REPORT
The login failure daemon can run an external script when script when a temporary block is unblocked. The following setting can be the full path of the external script which must be executable.
Default: empty

Network Abuse Reporting

X-ARF reports - X_ARF
Enable the sending of X-ARF reports. Only block alert messages will be sent. These reports are in a format accepted by many Netblock owners and should help them investigate abuse. Only enable this option after you have checked for false-positive block reports.
Default: 0 Range: 0-1

From: field for X-ARF reports - X_ARF_FROM
Set the email From: for X-ARF reports.
Default: empty

To: field for X-ARF reports - X_ARF_TO
Set the email To: for X-ARF reports.
Default: empty

X-ARF reports sent to abuse - X_ARF_ABUSE
Automatically send reports to the abuse contact where found. Note: You MUST set X_ARF_FROM to a valid email address for this option to work. This is so that the abuse contact can reply to the report. However, you should be aware that without manual checking you could be reporting innocent IP addresses, including your own clients, yourself and your own servers. We do not recommend enabling this option. Abuse reports should be checked and verified before being forwarded to the abuse contact.
Default: 0

Alerts

Login failure blocking alerts - LF_EMAIL_ALERT
Send an email alert if an IP address is blocked by one of the application triggers.
Default: 1 Range: 0-1

SSH login alerts - LF_SSH_EMAIL_ALERT
Send an email alert if anyone logs in successfully using SSH
Default: 1 Range: 0-1

SU alerts - LF_SU_EMAIL_ALERT
Send an email alert if anyone uses su to access another account.
Default: 1 Range: 0-1

Root console login alerts - LF_CONSOLE_EMAIL_ALERT
Send an email alert if anyone logs in successfully to root on the console.
Default: 0 Range: 0-1

Permblock blocking alerts - LF_PERMBLOCK_ALERT
Enable or disable email alerts for permanent blocks.
Default: 1 Range: 0-1

Netblock blocking alerts - LF_NETBLOCK_ALERT
Enable or disable email alerts for permanent blocks by network class.
Default: 1 Range: 0-1

Recaptcha alert - RECAPTCHA_ALERT
Send an email when an IP address successfully attempts to unblock themselves. This does not necessarily mean the IP was unblocked, only that the post-recaptcha unblock request was attempted. Default: 1

Log file flooding alerts - LOGFLOOD_ALERT
Send an email alert if log file flooding is detected. You should investigate the reported log file for the reason for the flooding if you receive this alert.
Default: 0 Range: 0-1

Portknocking alerts - PORTKNOCKING_ALERT
Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must also be enabled.
Default: 0 Range: 0-1

Tracking Alerts

Distributed FTP alerts - LF_DISTFTP_ALERT
Send an email alert if LF_DISTFTP is triggered.
Default: 1

Login tracking alerts - LT_EMAIL_ALERT
Send an email alert if an account exceeds LT_POP3D or LT_IMAPD logins per hour.
Default: 1 Range: 0-1

Connection tracking alerts - CT_EMAIL_ALERT
Send an email alert if an IP address is blocked due to connection tracking.
Default: 1 Range: 0-1

User process killing alerts - PT_USERKILL_ALERT
Email an alert if PT_USERKILL is triggered.
Default: 1 Range: 0-1

Port scan tracking alerts - PS_EMAIL_ALERT
Enable port scan tracking email alerts.
Default: 1 Range: 0-1

Account Tracking Alerts

Account creation alerts - AT_NEW
Send alert if a new account is created.
Default: 1 Range: 0-1

Account deletion alerts - AT_OLD
Send alert if an existing account is deleted.
Default: 1 Range: 0-1

Account password change alerts - AT_PASSWD
Send alert if an account password has changed.
Default: 1 Range: 0-1

Account UID change alerts - AT_UID
Send alert if an account uid has changed.
Default: 1 Range: 0-1

Account GID change alerts - AT_GID
Send alert if an account gid has changed.
Default: 1 Range: 0-1

Account directory change alerts - AT_DIR
Send alert if an account login directory has changed.
Default: 1 Range: 0-1

Account shell change alerts - AT_SHELL
Send alert if an account login shell has changed.
Default: 1 Range: 0-1

Related Pages